Доброго всем времени суток.
Товарищи форумчане помогите с конфигом (PF). Собственно все настроено и работает, но есть непреодалимое желание улучшить внешнюю безопасность путем ограничения открытых портов снаружи. Подскажите рекомендации по этому вопросу.
Заранее благодарен. Конфиг PF прилагается.ext_if="rl1"
int_if="rl0"
set limit frags 20000
set limit src-nodes 2000
set limit tables 1000
set limit table-entries 100000
#set ruleset-optimization basic
set skip on lo0
#scrub in on $ext_if all fragment reassemble
nat on $ext_if from {$int_if:network} to any -> ($ext_if)
rdr on $int_if proto {tcp,udp} from {$int_if:network} to any port {http,https} -> 127.0.0.1 port 3128
block in quick from no-route to any
block in quick from urpf-failed to any
#block log on $ext_if from {!$int_if:network} to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32} to any
block in quick on $ext_if proto {tcp,udp} from any to any port {67,3306,21,20}
pass in quick from $int_if:network to $int_if
pass on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if proto tcp from {$int_if:network} to any modulate state
pass in quick on $ext_if proto tcp from any to $ext_if port 1723
pass on lo0 proto tcp from any to any port 953
pass in on $ext_if proto tcp from any to $ext_if port {ssh}