vi /etc/rc.conf ipfilter=yes ipfilter_flags="" #ipmon=yes ipmon_flags="-Dns" vi /etc/ipf.conf
It is considered a good practice to have a default blocking policy, but filtering is not necessarily needed for the front-facing interface, since the BSD gateway is not listening on any port what-so-ever. This example with four interfaces, filtering only what ever comes in and out (notice the
pass out ... keep state line) from the DMZ/
xennet2 across the internal network.
pass in all pass out all #loopback pass in quick on lo0 all pass out quick on lo0 all #icmp pass in quick proto icmp pass out quick proto icmp # xennet0 - internal 10.1.1 # xennet1 - public network # xennet2 - DMZ 10.1.2 # xennet3 - agents 10.1.3 block in on xennet2 from any to 10.1.1.0/24 # joomla talks to monit pass in on xennet2 proto tcp from any to 10.1.1.19 port = 8080 # joomla talks to mariadb pass in on xennet2 proto tcp from any to 10.1.1.17 port = 3306 # joomla needs dns pass in on xennet2 proto udp from any to 10.1.1.251 port = 53 pass in on xennet2 proto tcp from any to 10.1.1.251 port = 53 # we need to be able to maintain joomla on port 2222 pass out on xennet2 proto tcp from any to any port = 2222 keep state