download

Network Configuration—FirewallsThe keyword all is the short version of from any to any. In the above example,the rule will ultimately translate to the following code:pass out on fxp0 proto tcp from any to anypass out on fxp0 proto udp from any to anyTablesA Table is a list of IP addresses. You can also keep the list of IP addresses in Macros.However, the main difference between tables and Marcos is the speed of lookupin tables. You can keep a large number of IP addresses in a table with very lowoverhead and very fast lookup. A table can be marked persistent, which means, itwill not be removed from memory if it is empty.As you see in the sample configuration, a table name is always enclosed within "" signs.OptionsThere are a number of global options that PF uses internally. These options start withthe set keyword and have global effects on PF behavior. As you saw in our sampleconfiguration file, we have used two options. also in our example, we are usingtwo options:set loginterface $ext_ifset block-policy dropThe first option enables statistics logging on the $ext_if interface which is in factthe fxp0 interface while the second option defines the default behavior of the blockkeyword. Using this option, we can specify whether the "block" action should simply"drop" a packet or return a message to the sender (such as ICMP unreachable messageor TCP RST) which indicates that the packet has not reached its ultimate destination.ScrubScrub or Normalization is an important feature of PF. Scrubbing means receivinga full packet, reassembling it, if it's fragmented, and checking it for any abnormalpatterns. This process will help identify and then drop abnormal packets (forexample orphan fragments). The single rule under the scrub section in ourconfiguration sample indicates that all incoming packets on any interface should bepassed through a scrub sanity check.QueuingThis section contains necessary rules for managing traffic using theALTQ framework.[ 196 ]