From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 09:04:24 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94DB2106566C for ; Fri, 22 Jan 2010 09:04:24 +0000 (UTC) (envelope-from s4mmael@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 2BB448FC0A for ; Fri, 22 Jan 2010 09:04:23 +0000 (UTC) Received: by fxm27 with SMTP id 27so182212fxm.3 for ; Fri, 22 Jan 2010 01:04:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=xYVfACsZVm8QTQytzZW+QfY+vPtbBGGvaL0/yNzRMJM=; b=W1r4yeaf/MQ0s0tWxPMOPQD5bF0p5x2agDrAInjE0PBWd0MzHfsJBTyihJFZVQWisT MKDOdG4UHjjXV7LC1mdd5BnlhFpZc1t4cwbAGi/x7Xuvu1seVem6EsnjJD18ygdVJBxb hnpOFbZWNl3DhBaohB6zWslb0e9ze7siC7gts= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rgXOld0e3DiHZo7xYZKeQ4xvPFU5tiTz8F5+G9FvIL+xROSiaaDD2LZhiF7JUVgh+j A9CiZVwShpsEWRCE9oCA93ixzU+PPrUCkxVKKNlVtHxRI+lzrH23gO+JsGoXQB+5o/q2 JYBlxU8vpNmzeLDFaCRrBgcEb4x93D/1I9zzE= MIME-Version: 1.0 Received: by 10.223.4.214 with SMTP id 22mr2586816fas.34.1264149171328; Fri, 22 Jan 2010 00:32:51 -0800 (PST) In-Reply-To: <4B5958E2.9010509@el.net> References: <4B5958E2.9010509@el.net> Date: Fri, 22 Jan 2010 11:32:51 +0300 Message-ID: <6e38aed81001220032p2f4948bftede7862e1d7c7cf7@mail.gmail.com> From: S4mmael To: kalin m Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 09:04:24 -0000 If I guess your idea right, you should specify direction like this: pass in proto udp to any port $udp "pass proto udp to any port $udp" passes traffic in any direction (ingoing and outgoing). 2010/1/22 kalin m : > > > hi all... > > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: > > tcp_in = "{ www, https }" > ftp_in = "{ ftp }" > udp = "{ domain, ntp }" > ping = "echoreq" > > set skip on lo > scrub in > > antispoof for eth0 inet > > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > > > thanks.... > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >