From owner-freebsd-questions@FreeBSD.ORG Thu May 31 00:19:29 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4563516A400 for ; Thu, 31 May 2007 00:19:29 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from pollux.dfwlp.com (rrcs-64-183-212-244.sw.biz.rr.com [64.183.212.244]) by mx1.freebsd.org (Postfix) with ESMTP id 1294313C45A for ; Thu, 31 May 2007 00:19:29 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from athena.dfwlp.com (athena.dfwlp.com [192.168.125.83]) (authenticated bits=0) by pollux.dfwlp.com (8.13.8/8.13.8) with ESMTP id l4V0JQnb090774 for ; Wed, 30 May 2007 19:19:26 -0500 (CDT) (envelope-from freebsd@dfwlp.com) From: Jonathan Horne To: freebsd-questions@freebsd.org Date: Wed, 30 May 2007 19:19:26 -0500 User-Agent: KMail/1.9.6 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200705301919.26630.freebsd@dfwlp.com> X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on pollux.dfwlp.com Subject: im new with pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 00:19:29 -0000 i have a client who has a simple linksys router, with port 22, 25, 80, 443 forwarded to a freebsd server i built for his small business. 25 80 and 443 are obviously public services, but id like to limit access to 22 to the trusted internal network, and my block of IPs i would be connecting from from my site. along with regulating port 22, i also need all other ports to work properly, since samba is installed, and i dont want to mess with picking and choosing what ports will be in this config. i just need to limit access to port 22. does something like this look acceptable if the above is my goal? [pf.conf] # definitions ext_if=fxp0 client="192.168.1.0/24" mynet="[outsideips]/29" table { $client $mynet } # rules start here scrub in block in all pass quick on lo antispoof quick for lo pass in on $ext_if from to ($ext_if) keep state pass in on $ext_if proto tcp from any to ($ext_if) port { 25 80 443 } keep state pass out all keep state [/pf.conf] like i said, i need to allow local (and me, trusted) to anything, and anyone else just access to 25, 80 and 443. thanks for any critiques and ideas. -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd@dfwlp.com