## remember this ok so the configuration file is located at /etc/pf.conf to load new changes you will use # pfctl -f /etc/pf.conf using rc to do it does not work last time I checked :/ to enable packet filter run # pfctl -e to disable packet filter run # pfctl -d remember that the last rule applies so if you deny someone from connecting to a port but then allow it right after then the port will be allowed, unless you use `quick` because that means apply now and stop reading ---- ## configuration set skip on lo0 # this makes it so packet filter doesn't affect the loop back device # :P marker #1 block in # makes it so by default nothing is allowed in pass out # makes it so by default everything is allowed out # now you want to allow some ports # first you type `pass in quick proto` # then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}` # now you want to say who is allowed, this can either be a ip, table or "any" `from any` # now define the ports `to port {`the ports separated by a space or use : to specify a range'}' # here's a few examples pass in quick proto {udp tcp} from any to port {53} # allow anyone to access the dns server pass in quick proto tcp from any to port {6667:6669 6697:6699 9999} # allow anyone to access some common irc ports # you can also use certain words but I don't know where you can find the list pass in quick proto tcp from any to port {http https} # (80 443) allow anyone to access the http server # now what about restricting ssh? pass in quick proto tcp from 1.2.3.4 to port {22} # makes it so the ip 1.2.3.4 can access port 22 # cough cough cough # now what about blocking some evil doers? # this is bill bob # _-_ # >:< # \_/ # hes super evil and we know we wants to hack your server so he can boot people, # but we don't want that because that can get us in trouble, # we happen to have gathered a list of all his hacking servers. # we create a folder in /etc called pf and in that folder (/etc/pf) we put in a text file called badhosts # inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other evil doers like bill bob # so now lets make it take affect table persist file "/etc/pf/badhosts" # now we have the table called loaded and can use whenever we want to apply a rule to all those ips inside that table block in quick from # this line basically says all the ips in the badhosts table, 's connections will be dropped now # but remember that the last rule applies so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below, # so because of this you should load the table and add the block before placing all the passes, # the best place to put it would be where marker #1 is # keep in mind that changes to the table only take affect after a reload with the command # pfctl -f /etc/pf.conf # now what about timmy? # this is timmy's upper body... I'm not drawing his entire body again... # ._. # |_| # ; ; # \ \ # ... # timmy is a super good boi, timmy is a helper, # timmy will stop at nothing but to protect your server from evil doers like bill bob, # but sometimes you make mistakes, we all do, even timmy, # so sometimes it might be necessary to give timmy access to all ports but this is almost never necessary. # just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts. # so in /etc/pf/ilines you will put timmy's ip but of course only when necessary table persist file "/etc/pf/ilines" # and then allow access to the ports pass in quick from # you can put this above marker #1 or below it or just at the very bottom of the configuration file, # but to make the least possible errors that can occur with a big bulky configuration file, # it is advised (recommended) to put it above marker #1. # You can make as meany tables as you want and make groups of whom may access what ports and who isn't allowed to. # go nuts!