commit b6bf8cc3563a7c2517648494ba793357e420993f
parent 79c3f644063bd592906157e58a572d3f6b393c05
Author: pyratebeard <root@pyratebeard.net>
Date: Wed, 24 May 2023 11:01:26 +0100
updates
Diffstat:
5 files changed, 44 insertions(+), 0 deletions(-)
diff --git a/networking/firewalls.md b/networking/firewalls.md
@@ -3,3 +3,4 @@
## linux
- [iptables](iptables)
- [firewall cmd](firewall-cmd)
+* [pf](pf)
diff --git a/networking/pf.md b/networking/pf.md
@@ -0,0 +1,36 @@
+# pf
+
+* default _pf.conf_ (from openbsd 7.3)
+```
+# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+
+table <sshbastion> { 46.23.90.11 }
+
+set skip on lo
+
+block return # block stateless traffic
+pass # establish keep-state
+
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+block return in proto tcp to port 22
+pass in quick proto tcp from <sshbastion> to port 22
+```
+
+* block ssh except for bastion
+```
+...[output omitted]...
+
+table <sshbastion> { <ip_address> }
+
+...[output omitted]...
+
+block return in proto tcp to port 22
+pass in quick proto tcp from <sshbastion> to port 22
+```
diff --git a/tech-index.md b/tech-index.md
@@ -38,6 +38,9 @@
### infrastructure-as-code
* [ansible](iac/ansible)
+### firewalls
+* [pf firewall](/unix/pf)
+
* [durdraw](/software/durdraw)
* [gollum](/software/gollum)
* [pandoc](/software/pandoc)
diff --git a/unix/freebsd.md b/unix/freebsd.md
@@ -1,5 +1,7 @@
# freebsd
+* [pf firewall](/networking/pf)
+
## setting up new install
* update
```
diff --git a/unix/openbsd.md b/unix/openbsd.md
@@ -1,5 +1,7 @@
# openbsd
+* [pf firewall](/networking/pf)
+
## setting up new system
### pre install
* [softraid encryption][] with keydisk
