From owner-freebsd-pf@FreeBSD.ORG  Sun Feb  6 15:25:16 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5515C16A4CE
	for <freebsd-pf@freebsd.org>; Sun,  6 Feb 2005 15:25:16 +0000 (GMT)
Received: from post1.wesleyan.edu (post1.wesleyan.edu [129.133.6.131])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D33FD43D41
	for <freebsd-pf@freebsd.org>; Sun,  6 Feb 2005 15:25:13 +0000 (GMT)
	(envelope-from vsavichev@wesleyan.edu)
Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [129.133.6.192])
	by post1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j16FPCbp023404
	for <freebsd-pf@freebsd.org>; Sun, 6 Feb 2005 10:25:12 -0500
Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [127.0.0.1])
	by pony1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j16FPCBe031101
	for <freebsd-pf@freebsd.org>; Sun, 6 Feb 2005 10:25:12 -0500
Received: (from apache@localhost)
	by pony1.wesleyan.edu (8.12.11/8.12.11/Submit) id j16FPB7w031099;
	Sun, 6 Feb 2005 10:25:11 -0500
Received: from 81.30.213.103
        (SquirrelMail authenticated user vsavichev);
        by webmail.wesleyan.edu with HTTP;
        Sun, 6 Feb 2005 10:25:11 -0500 (EST)
Message-ID: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103>
Date: Sun, 6 Feb 2005 10:25:11 -0500 (EST)
From: vsavichev@wesleyan.edu
To: freebsd-pf@freebsd.org
User-Agent: SquirrelMail/1.4.3a-0.e3.1
X-Mailer: SquirrelMail/1.4.3a-0.e3.1
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Wesleyan-MailScanner-Information: Please contact the ISP for more
	information
X-Wesleyan-MailScanner: Found to be clean
X-MailScanner-From: vsavichev@wesleyan.edu
Subject: block specific IP's: corporate network
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Feb 2005 15:25:16 -0000

we have a standart LAN-server-WAN network configuration in
cyber-cafe

--LAN---|-em0-server----dc0-|---WAN

we want to rule outbound client connections, so pf.conf has the following
layout (only filter rules part)

.....
pass quick on $int_if all
pass quick on lo0 all

# block specific client's ip's
#
block in quick on $ext_if from any  to IP
block out quick on $ext_if from IP to any
.....
# statefule pass out rules on the specific ports
#e.g.
# Allow out non-secure standard www function
pass out quick on $ext_if proto tcp from any  to any port = 80 flags S/SA 
keep state
....

so we assume given IP should be blocked from the WAN. But to my amusement,
the client's browser gets out, states are created, so nothing is
being blocked. For now, I have no clue how it is happening
Vlad