I've been using OpenBSD and ipf for a few years now and this is my first setup using pf. I've put this together from a variety of resources and as the subject states I'm looking for feedback.

Here's my pf.conf.


################################
#
# macros and other options
# ################################

##############
# interfaces #
##############

ext_if="xl0"
int_if="fxp0"
loop="lo0"

###########
# subnets #
###########

royalst="192.xxx.xxx.0/24"
# private & reserved addressing taken from rfc1918, rfc3330, and arin.net whois searches
private="{ 0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 5.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8,
36.0.0.0/8, 37.0.0.0/8, 39.0.0.0/8, 41.0.0.0/8, 42.0.0.0/8, 58.0.0.0/8, 59.0.0.0/8, 60.0.0.0/8,
70.0.0.0/7, 72.0.0.0/5, 82.0.0.0/7, 84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6,
124.0.0.0/7, 126.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 128.66.0.0/16, 169.0.0.0/7, 169.254.0.0/16,
172.16.0.0/12, 191.255.0.0/16, 192.0.0.0/16, 192.88.99.0/24, 192.168.0.0/16, 197.0.0.0/8,
198.18.0.0/15, 201.0.0.0/8, 222.0.0.0/7, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }"

#########
# hosts #
#########

admin="68.xxx.xxx.xxx"
sentry="192.xxx.xxx.250"
websvr="192.xxx.xxx.2"
mailsvr="192.xxx.xxx.5"
extip_250="63.xxx.xxx.250"
extip_251="63.xxx.xxx.251"
extip_252="63.xxx.xxx.252"
extip_253="63.xxx.xxx.253"
extip_254="63.xxx.xxx.254"

##########
# groups #
##########
sql_users="{ 68.xxx.xxx.11, 63.xxx.xxx.0/24, 68.xxx.xxx.65, 208.xxx.xxx.65 }"

###########
# options #
###########

# set timeout tcp.established 3600
# set timeout { tcp.opening 30, tcp.closing 900 }
set logininterface xl0
set limit { states 20000, frags 20000 }

#############
# normalize #
#############

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all fragment reassemble

################################
#
# network address translation
# ################################

nat on $ext_if from $royalst to any -> $ext_if

#############
# ftp-proxy #
#############
rdr on $int_if proto tcp from any to any port 21 -> $loop port 8021

#########
# binat #
#########
# MS's fubar'd excuse for a VPN protocal requires this
binat on $ext_if proto gre from $mailsvr to any -> $extip_251

#############
# redirects #
#############

# extip_250
rdr on $ext_if proto tcp from any to $extip_250 port ssh -> $mailsvr port ssh
rdr on $ext_if proto udp from any to $extip_250 port domain -> $mailsvr port domain
rdr on $ext_if proto tcp from any to $extip_250 port http -> $websvr port http
rdr on $ext_if proto { tcp, udp } from any to $extip_250 port ms-sql-s -> $websvr port ms-sql-s
rdr on $ext_if proto { tcp, udp } from any to $extip_250 port ms-sql-m -> $websvr port ms-sql-m
rdr on $ext_if proto tcp from $admin to $extip_250 port pcanywheredata -> $websvr port pcanywheredata
rdr on $ext_if proto udp from $admin to $extip_250 port pcanywherestat -> $websvr port pcanywherestat

# extip_251
rdr on $ext_if proto tcp from any to $extip_251 port smtp -> $mailsvr port smtp
rdr on $ext_if proto tcp from any to $extip_251 port http -> $mailsvr port http
rdr on $ext_if proto tcp from any to $extip_251 port imap -> $mailsvr port imap
rdr on $ext_if proto tcp from any to $extip_251 port pptp -> $mailsvr port pptp
rdr on $ext_if proto tcp from $admin to $extip_251 port pcanywheredata -> $websvr port pcanywheredata
rdr on $ext_if proto udp from $admin to $extip_251 port pcanywherestat -> $websvr port pcanywherestat





################################
#
# packet filter
#
################################

# the implicit first two rules are
# pass in all
pass out all
block in all
# block out all

############
# loopback #
############

pass in quick on $loop all
pass out quick on $loop all

######################
# external interface #
######################

# block out on $ext_if
block in quick on $ext_if from $private to any
block out quick on $ext_if from any to $private
pass out on $ext_if inet proto tcp all modulate state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
pass in quick on $ext_if proto gre from $any to $mailsvr keep state
pass in quick on $ext_if proto tcp from $any to $mailsvr port 0 flags S/SA keep state
pass in quick on $ext_if proto tcp from $admin to $sentry port ssh flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $sentry port smtp flags S/SA keep state
pass in quick on $ext_if proto udp from any to $mailsvr port domain keep state
pass in quick on $ext_if proto tcp from any to $websvr port http flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $mailsvr port http flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $sentry port imap flags S/SA keep state
pass in quick on $ext_if proto tcp from $any to $mailsvr port pptp flags S/SA keep state
pass in log quick on $ext_if proto tcp from $sql_users to $websvr port ms-sql-s flags S/SA keep state
pass in log quick on $ext_if proto udp from $sql_users to $websvr port ms-sql-s keep state
pass in log quick on $ext_if proto tcp from $sql_users to $websvr port ms-sql-m flags S/SA keep state
pass in log quick on $ext_if proto udp from $sql_users to $websvr port ms-sql-m keep state

######################
# internal interface #
######################

pass in quick on $int_if proto { tcp, udp, icmp } from $royalst to any keep state

I have a couple a question about your ruleset, and two comments.

Question,

Do you need to have the loopback rules? I don't have them on mine, yet I talk over the loopback interfaces just fine. For some reason I thought those weren't needed in pf.

Comment 1,

I notice you pass out all traffic which is fine. However you don't specify
any keep state info, Alos you pass out rule is somewhere, in the middle of your ruleset. I specify my outgoing rules at the bottom of my ruleset, personal preference really, I think it just keeps things neater. Here's how I do my outgoing:

[code:1:d5a96928b0]
#Keep States Letting all outgoing traffic out and maintaining states on
#established connections including TCP,UDP, ICMP and create state.
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
[/code:1:d5a96928b0]

Comment 2,

I also do specific blocking of IP options. I particularly like to block these types of packets on boxes where I offer legit. services.

Here's how I do that:

[code:1:d5a96928b0]
#Specifically block IP Options.
block in log quick on $ext_if in proto tcp from any to any \
flags { FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P }
[/code:1:d5a96928b0]

Anyways those are my comments/suggestions. Other than that I think it looks pretty good.

Answer:
I wasn't sure about the loopback rules either. I'll probably test with and without and see if they're needed.

Comment 1:
I do have keep state info on outbound traffic. It could probably be placed in a better location within the ruleset though.

Also on my outbound rules for tcp traffic I was using modulate state instead of keep state. Doing more research on modulate state and how / where it should be applied.

Comment 2:
That's something I definately need to add to my rules.

Thanks elmore. I appreciate the input and the work you do for the community.

Hmmm....

I see incoming keep states I just dont see out going keep states...

Do you need to have the loopback rules? I don't have them on mine, yet I talk over the loopback interfaces just fine. For some reason I thought those weren't needed in pf.


do you block loopback anywhere? in the sample here, the default is pass, so the loopback rules arent necessary since they are understood by the default pass (and no later deny's).

oops, my tired eyes missed the default "block in all". b/c of that, the loopback pass in will be necessary, but b/c of the "pass out all" the loopback pass out is not necessary.

I retort,

I do have a loop back rule on a couple of my boxes where I have to run services that need to utilize the loopback. Hmmmm.... sorry about that, perhaps next time I won't post so tersely.

I'm making changes and rearranging my rules to make them easier to read. I'll repost the changes later.

OK. Here goes again. I mostly made changes to the packet filter section so that's all I'm going to repost.


###############################################
#
# packet filter
#
###############################################

pass out all
block in all

############
# loopback #
############

pass in quick on $loop all

######################
# external interface #
######################

# block out quick on $ext_if all # only here for emergencies

block out quick on $ext_if from any to $private
block in quick on $ext_if from $private to any
block return-rst in log on $ext_if proto tcp all
block return-icmp in log on $ext_if proto udp all
block in quick on $ext_if from any to 255.255.255.255

# ICMP

pass out on $ext_if inet proto icmp all keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# UDP

pass out on $ext_if inet proto udp all keep state
pass in quick on $ext_if proto udp from any to $mailsvr port domain keep state

# TCP

pass out on $ext_if proto tcp all modulate state
pass in quick on $ext_if proto tcp from any to $mailsvr port { http, imap, pptp, smtp } flags S/SA keep state
pass in quick on $ext_if proto tcp from $admin to $sentry port ssh flags S/SA keep state
# for ftp proxy
pass in quick on $ext_if proto tcp from any to $sentry port >= 49152 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $websvr port http flags S/SA keep state
pass in log quick on $ext_if proto tcp from $sql_users to $websvr port { ms-sql-s, ms-sql-m } flags S/SA keep state
pass in log quick on $ext_if proto udp from $sql_users to $websvr port { ms-sql-s, ms-sql-m } keep state

# GRE
pass in quick on $ext_if proto gre from any to $mailsvr keep state

######################
# internal interface #
######################

pass in quick on $int_if proto tcp from $royalst to $sentry port = ssh keep state

That look pretty good to me man. The only thing I would add is the IP options stuff, that's fairly minor though.