From owner-freebsd-pf@FreeBSD.ORG Thu Feb 14 20:56:32 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D7A4C642; Thu, 14 Feb 2013 20:56:32 +0000 (UTC) (envelope-from 34.24.34@gmail.com) Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) by mx1.freebsd.org (Postfix) with ESMTP id 676AED89; Thu, 14 Feb 2013 20:56:31 +0000 (UTC) Received: by mail-qe0-f54.google.com with SMTP id 1so1270558qeb.41 for ; Thu, 14 Feb 2013 12:56:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=zgkVOZ+cjnYMjCUc5RFbuGddSyGQfCQ9ifBJaiug7io=; b=obeXFZvkbgLLCqTqozH55v6WvDJZsXdTOtcHfjmgP7beVvEM5X5yQLBQCEo4f9H//M ZELxhCCULVnomjnd1Dyn0Losp0DXU7dkS2w/0G5akQ1qNaELXSvvolY4849CBEqh6BYR TcsmXuXoFc6HSzZpNc1B9S1jRe984ukVjcHQ0lvbh7bVAGZcKpjIQJZYELLi6etaPZFe hU6/Mp0uxe7XUCy/Z+J7Ykdf0jQlab/7KIfmHIGCY+lZjPSiAQJQgy/ZffyK6S5IFlS+ cxymcaMb0N05prtXG5FxBt5qAGpp+aGLN04iIGBu6Cm9GinzsL2lci2JE0ZkgoHhmB2g SJKQ== MIME-Version: 1.0 X-Received: by 10.229.69.24 with SMTP id x24mr12054qci.16.1360875391250; Thu, 14 Feb 2013 12:56:31 -0800 (PST) Received: by 10.49.86.130 with HTTP; Thu, 14 Feb 2013 12:56:31 -0800 (PST) In-Reply-To: <20130214200438.GA85777@in-addr.com> References: <20130214200438.GA85777@in-addr.com> Date: Thu, 14 Feb 2013 20:56:31 +0000 Message-ID: Subject: Re: Releasing all outgoing ports for a particular IP. From: Lisa Muir <34.24.34@gmail.com> To: Gary Palmer Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2013 20:56:32 -0000 On Thu, Feb 14, 2013 at 8:04 PM, Gary Palmer wrote: > Hi Lisa, > > I believe you should look at PF tags. If you tag the traffic coming in with > the > > pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports > > rule, you should then be able to use that in our ext_if rule to ensure > only those packets are let out > > e.g. > > pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports tag MAILSERVER > pass out quick on $ext_if tagged MAILSERVER excellent.... exactly what I was hoping for... and might even solve my UDP dilemma. I have CC_UDP = "{15000:15200}" and then a redirect rule: rdr on $ext_if proto udp from any to $ext_if port $CC_UDP -> $lm_laptop and then a pass rule to let it through: pass quick proto udp from any to any port $CC_UDP My initial instinct was to confine the pass rule from any to $lm_laptop but the packets don't forward, presumably because UDP is connectionless and bar the forward, there is nothing in the UDP packets that specifies an ip based destination. I'm going to try tagging these packets also and see if I can refine the pass rule accordingly. Big thanks for this heads up. Lisa.