From owner-freebsd-pf@FreeBSD.ORG  Mon Jul 21 09:31:56 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EA7C11065670
	for <freebsd-pf@freebsd.org>; Mon, 21 Jul 2008 09:31:56 +0000 (UTC)
	(envelope-from artemrts@ukr.net)
Received: from ffe4.ukr.net (ffe4.ukr.net [195.214.192.17])
	by mx1.freebsd.org (Postfix) with ESMTP id 95ECB8FC0A
	for <freebsd-pf@freebsd.org>; Mon, 21 Jul 2008 09:31:56 +0000 (UTC)
	(envelope-from artemrts@ukr.net)
Received: from mail by ffe4.ukr.net with local ID 1KKrMR-000LUN-ID
	for freebsd-pf@freebsd.org; Mon, 21 Jul 2008 12:07:15 +0300
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
From: "Vitaliy Vladimirovich" <artemrts@ukr.net>
X-Life: is great, enjoy it!
X-Mailer: freemail.ukr.net mPOP 3.4.1
X-Originating-Ip: [194.0.148.10]
X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
	rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16
Message-Id: <E1KKrMR-000LUN-ID@ffe4.ukr.net>
Date: Mon, 21 Jul 2008 12:07:15 +0300
X-UkrNet-Flag: 1
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: PF and blocking of some ports
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2008 09:31:57 -0000

Hi,  
  
 I have question about blocking some ports for LAN users.  
  
 Below a part of my pf.conf:  
  
  
nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> $ext_if:0  
  
pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP  
pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp 53  
  
  
pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port !=25 tag LAN_INET_TCP_UDP  
pass in quick on $int_if inet proto {tcp udp} from $LAN to $int_if port 53  
  
  
All works fine. But when I wish block not only 25 port and 5190 or some others ports, blocking does not occur.  
And I can connect to 25 port to any host in Internet from any computer in local network.  
  
Rules, which I try to use:  
pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if port {!=25 !=5190} tag LAN_INET_TCP_UDP  
  
Please, tell me where is my mistake?  
  
Thanks.