From owner-freebsd-pf@FreeBSD.ORG Mon Nov 23 16:22:45 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0128C1065694 for ; Mon, 23 Nov 2009 16:22:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 5C7438FC13 for ; Mon, 23 Nov 2009 16:22:44 +0000 (UTC) Received: (qmail invoked by alias); 23 Nov 2009 16:22:43 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp008) with SMTP; 23 Nov 2009 17:22:43 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/hCGMXDl/hWM0FWpbp1fDO4ZyxYgXCJDHLmD29H1 nkFFrZ50VLYFlS Message-ID: <4B0AB6D1.2040206@gmx.de> Date: Mon, 23 Nov 2009 17:22:41 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Sife Mailling References: <745127.92574.qm@web113110.mail.gq1.yahoo.com> In-Reply-To: <745127.92574.qm@web113110.mail.gq1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.68 Cc: freebsd-pf@freebsd.org Subject: Re: block ip's and ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 16:22:45 -0000 Sife Mailling wrote: > Salamo Alikom > i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . > this my pf.conf : > net_card="sis0" > tcp_ports="{80 ,https ,domain ,auth ,21}" > udp_ports="{domain}" > table file "/etc/pf/banned" > table {www.google.com} > block in log (all) on $net_card proto {tcp ,udp} all > pass in on $net_card proto tcp from any to any port $tcp_ports > pass in on $net_card proto udp from any to any port $udp_ports > pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 > block in on $net_card proto tcp from { , } to any port $tcp_ports > pass out on $net_card proto tcp from any to any port $tcp_ports > pass out on $net_card proto udp from any to any port $udp_ports > pass out on $net_card inet proto tcp from any to any port ftp > pass out on $net_card inet proto tcp from any to any port > 1023 > > now skype is work and the both tables banned and banned2 i can browse sites including theme . > Try the quick keyword, so traffic is not allowed in later rules. Additional disable outgoing traffic since if you create a connect from inside to a state which permits incoming traffic is created. example ordering: table file "/etc/pf/banned" table {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all block in quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockin block out quick on $net_card proto tcp from { , } \ to any port $tcp_ports label blockout pass in on $net_card proto tcp from any to any port $tcp_ports