From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 15:35:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97F33106568F for ; Fri, 22 Jan 2010 15:35:46 +0000 (UTC) (envelope-from jmiller@securityfocus.com) Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26]) by mx1.freebsd.org (Postfix) with ESMTP id 796CB8FC1B for ; Fri, 22 Jan 2010 15:35:46 +0000 (UTC) Received: from mail.securityfocus.com (mail.securityfocus.com [205.206.231.9]) by outgoing2.securityfocus.com (Postfix) with SMTP id AFBCF143A63 for ; Fri, 22 Jan 2010 08:35:45 -0700 (MST) Received: (qmail 24850 invoked by uid 533); 22 Jan 2010 15:35:45 -0000 Date: Fri, 22 Jan 2010 08:35:45 -0700 From: "Jason V. Miller" To: kalin m Message-ID: <20100122153545.GA23548@mail.securityfocus.com> References: <4B5958E2.9010509@el.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Message Content-Disposition: inline In-Reply-To: <4B5958E2.9010509@el.net> User-Agent: Mutt/1.4.1i Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 15:35:46 -0000 Others have already given some good feedback (and asked some good questions), but: > pass out all keep state You're allowing out the initial TCP SYN, and creating a state entry for the connection here. You should be able to make outgoing connections anywhere with this rule. Once a state entry gets created, the state table will match on the traffic for the session, and the rules list won't have to be evaluated. J. -- Jason V. Miller