pass quick on $mgt_int inet proto { tcp, udp } from 192.168.1.4 to any port $client_out
#################################################################
# Rules for the bridge
#################################################################
pass quick on $inboard_int inet proto { tcp, udp } from $trusted to any port { domain, ntp }
pass on $inboard_int inet proto tcp from $trusted to any port $client_out
pass on $inboard_int inet proto { tcp, udp } from any to $trusted port 22 \
keep state (max-src-conn 20, max-src-conn-rate 10/5, overload \
flush global)
pass on $inboard_int inet proto { tcp, udp } from any to $trusted port 443 \
keep state (max-src-conn 20, max-src-conn-rate 10/5, overload flush
global)
--end of snip--
This pf.conf file only allows ssh (port 22) and https (port 443) inbound from the
external network (no trust) to the internal network (trusted). As a reminder, on the
prototype system, the network card labled sis0 wasdesignated to be the
management interface. Make substitutions as needed. While you are in the
beginning stages of configuring your pf.conf file.
It is recommended to have a
monitor and keyboard (aka console) handy, in case you lock yourself out from the
network perspective.
PS to disable pf, as root you use:
pfctl -d
The rest is left for the user to explore...
Now you are ready to reboot and start the journey!
Nicholas Pappas
62
@ 2021
SANS Institute
Author
Retains Full Rights
