From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 11:44:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 207021065677 for ; Mon, 21 Jul 2008 11:44:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe5.ukr.net (ffe5.ukr.net [195.214.192.21]) by mx1.freebsd.org (Postfix) with ESMTP id BD2568FC20 for ; Mon, 21 Jul 2008 11:44:44 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe5.ukr.net with local ID 1KKtop-000PBV-4Y ; Mon, 21 Jul 2008 14:44:43 +0300 MIME-Version: 1.0 To: Max Laier From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] In-Reply-To: <200807211248.23181.max@love2party.net> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 Message-Id: Date: Mon, 21 Jul 2008 14:44:43 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re[2]: PF and blocking of some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 11:44:45 -0000 --- Original Message --- From: Max Laier To: freebsd-pf@freebsd.org Date: 21 july, 13:48:23 Subject: Re: PF and blocking of some ports On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > >  I have question about blocking some ports for LAN users. > >  Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=25 !=5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port != 25 ... pass quick ... udp ... to !int_if port != 25 ... pass quick ... tcp ... to !int_if port != 5190 ... pass quick ... udp ... to !int_if port != 5190 ... It should be obvious that the first rule will allow tcp traffic to port 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly.             Ok, thanks for advice.   I have changed the rule pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port $ports tag LAN_INET_TCP_UDP   And define $ports ports= "{20 21 80 443 8000 8080}"