pf firewall for a workstation

That is, for a box with only one NIC and no NATing involved.
I have already setup (on the previous Judith incarnation) a pf firewall, but that was a 'regular one', with 2 NICs, NATing addresses and working as the gateway for my home LAN (link 1 link2 )

But for the moment, I'm not using judith as the gateway/ firewall, so I wanted to enable a plain vanilla firewall that would allow access only to a limited services, and to differentiate services for internet hosts (public HTTP. for instance) and others limited to some of the networks I have control.

This site A Beginner's Guide To Firewalling with pf has some very good tips, specially the one regarding howto enable the cron that would, eventually, work as a fail safe access, if the worst happens.
One thing, tho, you do load the rules with:

sudo /sbin/pfctl -f /etc/pf.conf

Or whatever the path to the config file is, but, at least on OpenBSD 4.2, pf it is not enabled, so, on top of loading the rules, you have to enable the firewall, like this:

sudo /sbin/pfctl -e


Here is the script, and it is a work in progress actually:



## /etc/pf.conf

if="dc0"
universe="{ 0/0 }"
my_nets="{ 1.2.3.4, 4.3.2.1, 4.3.2.1/27, 5.6.7.8/28 }"
my_lan="{ 10.120.10.0/29 }"

tcp_pass_universe= "{ 80 }"
tcp_pass_nets= "{ 22 }"
tcp_pass_lan= "{ 22 53 113 123 }"
udp_pass_lan="{ 53 123 }"
udp_pass_lo="{ 161 }"
icmp_types="echoreq"


block in
pass out


pass in on lo inet proto udp from lo to lo port $udp_pass_lo

pass in on $if inet proto tcp from $my_lan to ($if) port $tcp_pass_lan
pass in on $if inet proto udp from $my_lan to ($if) port $udp_pass_lan

pass in on $if inet proto tcp from $my_nets to ($if) port $tcp_pass_nets
pass in on $if inet proto tcp from $universe to ($if) port $tcp_pass_universe

pass in on $if inet proto icmp all icmp-type $icmp_types

# EoF #