Date: Mon, 23 Nov 2009 17:22:41 +0100 From: olli hauer <ohauer@gmx.de> To: Sife Mailling <sife.mailling@yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: block ip's and ports Message-ID: <4B0AB6D1.2040206@gmx.de> In-Reply-To: <745127.92574.qm@web113110.mail.gq1.yahoo.com> References: <745127.92574.qm@web113110.mail.gq1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sife Mailling wrote: > Salamo Alikom > i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports . > this my pf.conf : > net_card="sis0" > tcp_ports="{80 ,https ,domain ,auth ,21}" > udp_ports="{domain}" > table <banned> file "/etc/pf/banned" > table <banned2> {www.google.com} > block in log (all) on $net_card proto {tcp ,udp} all > pass in on $net_card proto tcp from any to any port $tcp_ports > pass in on $net_card proto udp from any to any port $udp_ports > pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16 > block in on $net_card proto tcp from { <banned>, <banned2> } to any port $tcp_ports > pass out on $net_card proto tcp from any to any port $tcp_ports > pass out on $net_card proto udp from any to any port $udp_ports > pass out on $net_card inet proto tcp from any to any port ftp > pass out on $net_card inet proto tcp from any to any port > 1023 > > now skype is work and the both tables banned and banned2 i can browse sites including theme . > Try the quick keyword, so traffic is not allowed in later rules. Additional disable outgoing traffic since if you create a connect from inside to <banned> a state which permits incoming traffic is created. example ordering: table <banned> file "/etc/pf/banned" table <banned2> {www.google.com} block in log (all) on $net_card proto {tcp ,udp} all block in quick on $net_card proto tcp from { <banned>, <banned2> } \ to any port $tcp_ports label blockin block out quick on $net_card proto tcp from { <banned>, <banned2> } \ to any port $tcp_ports label blockout pass in on $net_card proto tcp from any to any port $tcp_ports
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B0AB6D1.2040206>