Hi all,<br><br>Well, I've decided to run a little web server at home. I registered a domain name, and I'm working on setting up a dmz. So my first question pertains to pf.... <br><br>I am assuming that all I really need to do is:
<br><br>1. pass port 80 traffic on my external interface<br>2. rdr this traffic to a host in my DMZ<br>3. block traffic from the DMZ to my internal network<br>4. allow stateful connections to the hosts in the dmz from my internal network
<br><br>I'm including my pf.conf file at the end of this post, any critique is welcome, as I'm learning as I go here. Patrick - you should recognize some of this :). The two commented lines (rdr and nat) are the beginnings of my attempt to implement this. I assume that I need to add a block rule to address item 3 above, and a pass rule for item 4. If anyone is in the mood, I'd love some critiques / suggestions on the best way to accomplish what I'm trying to do.
<br><br>Once it's up, I will probably add queueing on the external interface as well, since my upload rate is only 256k. It is unlikely to be a high traffic site, though, so one thing at a time. <br><br><br><br><br>My second question is whether anyone has any experience, thoughts or opinions on this service:
<br><br><a href="http://soa.granitecanyon.com/">http://soa.granitecanyon.com/</a><br><br>I am running DNS internally, but I'm not really ready to put up public servers yet, and this seems like a decent alternative. Besides, they're running FreeBSD, so that's one thing in their favor in my book :-).
<br><br><br>Thanks !<br><br>-Jonathan<br><br><br><br><br><br>My pf.conf file:<br><br><br><br>ext_if="xl0"<br>int_if="xl1"<br>dmz_if="xl2"<br><br>tcp_services="{ 22 }"<br>icmp_types="echoreq"
<br><br>priv_nets="{ xxx.xxx.xxx.xxx/24, xxx.xxx.xxx.xxx/24 }"<br><br>table <adservers> persist file "/etc/pftables/adservers"<br>table <crackers> persist file "/etc/pftables/crackers"
<br><br><br>set block-policy drop<br>set state-policy if-bound<br>set loginterface $ext_if<br><br><br>scrub in all<br><br>nat on $ext_if from $int_if:network to any -> ($ext_if)<br>#nat on $ext_if from $dmz_if:network to any -> ($ext_if)
<br>#rdr on $ext_if proto tcp from any to any port www -> xxx.xxx.xxx.xxx<br>rdr on $int_if proto tcp from any to any port 21 -> <a href="http://127.0.0.1">127.0.0.1</a> port 8021<br><br><br>block all<br>pass quick on lo0 all
<br>block drop in log quick on $ext_if from $priv_nets to any<br>block drop in log quick on $ext_if from any to $priv_nets<br><br>block return log quick from any to <adservers><br>block drop log quick from <adservers> to any
<br>block drop in log quick on $ext_if from <crackers> to any<br><br>pass in log on $ext_if inet proto tcp from any to ($ext_if) \<br> port $tcp_services flags S/SA modulate state \<br> (max-src-conn 5, max-src-conn-rate 4 / 60, overload <crackers> \
<br>flush global)<br><br><br>pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state<br><br>pass in log inet proto icmp all icmp-type $icmp_types keep state<br><br>pass in log on $int_if from $int_if:network to any keep state
<br><br>pass out log on $int_if from any to $int_if:network keep state<br><br>pass out log on $ext_if proto tcp all modulate state flags S/SA<br>pass out log on $ext_if proto { udp, icmp } all keep state<br>