pf firewall server configuration

Question

I am trying to configure a fire wall for a server that host http, smtp and ssh on a custom port.

When I initialize pf, I get an error at the command line:

No ALTQ support in kernel

and my ssh connection freezes

config:

[\u@vader:/root] # cat /home/pf.conf
local_host="108.61.175.20"
table <blockedips> persist file "/etc/blocked_ips.conf"
#interface="vtnet0"
icmp_types="echoreq"
ext_if="vtnet0"
# Custom port for ssh
SSH_CUSTOM = 22222

scrub in on $ext_if all fragment reassemble

set skip on lo0
#set skip on lo1

antispoof for $ext_if

# --- EXTERNAL INTERFACE
# --- INCOMING -------------------------------------------------------------------

# --- TCP
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port http
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port https
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port $SSH_CUSTOM

# --- for authoritative DNS server
#pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain

# --- UDP
# --- for authoritative DNS server
#pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain

# --- ICMP
pass in  quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types

# --- EXTERNAL INTERFACE
# --- OUTGOING --------------------------------------------------------------------

anchor TMP

# --- TCP
pass  out quick log on $ext_if inet proto tcp from $ext_if to any port smtp
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port domain
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port http
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port https
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port whois
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port $SSH_CUSTOM

# --- UDP
pass  out quick on $ext_if inet proto udp from $ext_if to any port domain
pass  out quick on $ext_if inet proto udp from $ext_if to any port ntp

# --- ICMP
pass  out quick on $ext_if inet proto icmp  from $ext_if to any

# ------------------------------------------------------
# --- DEFAULT POLICY
# ------------------------------------------------------
block log all

# ----- end of pf.conf

How do I configure a basic server pf fw to allow inbound www, smtp and a custom ssh port traffic? I need a block table, similar to the one in the config.

score 3 · Answer 1 · answered Aug 11 '15 at 22:46

The message is normal because ALTQ is not compiled into the stock FreeBSD kernel. Unless you need to use ALTQ it doesn't matter.

The start up of the firewall interrupts all current connections, including your ssh session, which stops responding. Just open another terminal and log in again. The original session will eventually time out.

It's a good idea to set a cron job to turn off the PF after about ten minutes so you can log back in if you get it wrong, until you're sure the settings are correct.

pf firewall server configuration

1 Answers1