From owner-freebsd-pf@FreeBSD.ORG  Thu Nov 30 17:35:16 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B359816A403
	for <freebsd-pf@freebsd.org>; Thu, 30 Nov 2006 17:35:16 +0000 (UTC)
	(envelope-from daniel@britishemail.co.uk)
Received: from mail.britishemail.co.uk (mail.britishemail.co.uk [91.186.3.45])
	by mx1.FreeBSD.org (Postfix) with SMTP id CD06C43CBA
	for <freebsd-pf@freebsd.org>; Thu, 30 Nov 2006 17:35:04 +0000 (GMT)
	(envelope-from daniel@britishemail.co.uk)
Received: (qmail 93978 invoked by uid 1010); 26 Nov 2006 13:35:59 -0000
Received: from 91.84.9.170 by yellow.nullroutes.com (envelope-from
	<daniel@britishemail.co.uk>,
	uid 1008) with qmail-scanner-1.25-st-qms 
	(clamdscan: 0.87/2239. spamassassin: 3.1.0. perlscan: 1.25-st-qms.  
	Clear:RC:0(91.84.9.170):SA:0(0.3/5.0):. 
	Processed in 2.964899 secs); 26 Nov 2006 13:35:59 -0000
X-Spam-Status: No, hits=0.3 required=5.0
X-Antivirus-britishemail.co.uk-Mail-From: daniel@britishemail.co.uk via
	yellow.nullroutes.com
X-Antivirus-britishemail.co.uk: 1.25-st-qms
	(Clear:RC:0(91.84.9.170):SA:0(0.3/5.0):. Processed in 2.964899
	secs Process 93970)
Received: from your.resident-god.com (HELO homedaniel)
	(daniel@britishemail.co.uk@91.84.9.170)
	by mail.britishemail.co.uk with SMTP; 26 Nov 2006 13:35:56 -0000
From: "Daniel" <daniel@britishemail.co.uk>
To: <freebsd-pf@freebsd.org>
Date: Sun, 26 Nov 2006 13:35:57 -0000
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
thread-index: AccRX82tcL95nv0oTca8FRZC1YiAJg==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Antivirus-britishemail.co.uk-Message-ID: <1164548157107093970@yellow.nullroutes.com>
Message-Id: <20061130173504.CD06C43CBA@mx1.FreeBSD.org>
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: opinion on this ruleset
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2006 17:35:16 -0000

I was wondering if I could get some opinions on this ruleset please - 

Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000,
6659 thorough to 6671, 9999, 27888.  I am also running a nameserver, so have
opened TCP and UDP 53.  I also want incoming on port 80 and 22.

I have about 15 IP addresses assigned to my external interface... would it
be better to make a table for these?  Or is using the ext_if as a macro just
as effective?


ext_if="rl0"

tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888  }"
udp_services="{ 53 }
icmp_types="echoreq"

set block-policy return
set loginterface $ext_if

set skip on lo
scrub in

block in

pass out keep state

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto udp from any to ($ext_if) \
   port $udp_services keep state


pass in inet proto icmp all icmp-type $icmp_types keep state