From owner-freebsd-stable@FreeBSD.ORG Sun Mar 16 21:45:26 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC664106566C for ; Sun, 16 Mar 2008 21:45:26 +0000 (UTC) (envelope-from razor@dataxnet.ro) Received: from mail.dataxnet.ro (datax28.mediasat.ro [80.96.28.28]) by mx1.freebsd.org (Postfix) with SMTP id 02F4B8FC15 for ; Sun, 16 Mar 2008 21:45:24 +0000 (UTC) (envelope-from razor@dataxnet.ro) Received: (qmail 73426 invoked by uid 1001); 16 Mar 2008 23:45:27 +0200 Date: Sun, 16 Mar 2008 23:45:27 +0200 From: Alex Popa To: freebsd-stable@FreeBSD.org Message-ID: <20080316214527.GA72271@dataxnet.ro> References: <20080314192359.GA4677@dataxnet.ro> <20080315123710.GA6773@dataxnet.ro> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <20080315123710.GA6773@dataxnet.ro> User-Agent: Mutt/1.4.2.2i Cc: Subject: Re: Lock Order Reversal on 7.0-STABLE with pf and ipfw / dummynet (extra extra details - config files) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Mar 2008 21:45:26 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Attached are pf.conf and ipfw.txt. The former is loaded by the standard means, and the latter is loaded via ipfw -q /path/to/ipfw.txt Some comments: I've anonymized the files. Address in the 10.0.0.0/8 range stand for "internal" IP addresses, meaning one /27 and three /24 networks, and address in the 192.168.0.0/16 range stand for addresses on the directly connected "external" networks, meaning the 2 fibers to the ISP. Also I've junked all but the last byte of MAC addresses in ipfw. I know the ipfw setup looks scary, but worst case a layer2 packet (I should say frame) gets checked against 38 rules (39 if it's dropped). I could probably optimize a few more rules out of this, but I'm not sure it's worth the effort. For layer3 I haven't counted, but I doubt it's more than 10 rules (more likely 6-7). Tables "metro" and "special" in pf are contolled by OpenBGPD. They are synced to ipfw tables 1 and 2 respectively, by cron jobs that run every 3 minutes and only make the necessary changes. ipfw rules below the "DO NOT EDIT" line are automatically generated from a database of IP/MAC mappings. This can change asynchronously and can cause the script to be regenerated and run. The classification is supposed to speed things up a little, by not comparing a MAC address against all hosts in its subnet, but only against sqrt(hosts) other IPs and another sqrt(hosts) IP/MAC pairs. [and it's not exactly sqrt, but about half of the bits in the host part of the IP address] Have fun Alex -- "Computer science is no more about computers than astronomy is about telescopes" -- E. W. Dijkstra --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.txt" set move 0 to 1 set disable 0 # scary stuff, allow arp add 10 allow mac-type 0x0806 # filter MAC on input add 10 skipto 100 in recv em0 layer2 add 11 allow out xmit em0 layer2 add 12 allow in layer2 add 13 allow out layer2 # em0 - internal add 20 skipto 22000 in recv em0 add 25 allow out xmit em0 # em1 - external 1 - shape on 20000 (in) / 20500 (out) add 30 skipto 20000 in recv em1 add 35 skipto 20500 out xmit em1 # bge0 - extern 2 - shape on 21000 (in) / 21500 (out) add 40 skipto 21000 in recv bge0 add 45 skipto 21500 out xmit bge0 add 90 allow ip from any to any via lo0 add 95 allow ip from any to any -f zero # # TABLES # # 1 - metro # 2 - special # 10 - internal (all) # 11 - internal - routing external 1 (em1) # 12 - internal - routing external 2 (bge0) # 100 bandwidth A # 101 bandwidth B # 120, 121, 122 : this server: All IPs, IP bw A, IP bw B # NOTE: tables 1 and 2 are synchronized to pf tables named # "metro" and "special" by a script which runs every 3 minutes table 10 flush table 10 add 10.0.10.0/27 table 10 add 10.0.20.0/24 table 10 add 10.0.30.0/24 table 10 add 10.0.40.0/24 table 10 add 192.168.11.11 table 10 add 192.168.22.22 table 11 flush table 11 add 10.0.20.0/24 table 11 add 10.0.40.0/24 table 11 add 192.168.11.11 table 11 add 192.168.22.22 table 12 flush table 12 add 10.0.10.0/27 table 12 add 10.0.30.0/24 table 100 flush table 100 add 10.0.20.0/24 table 100 add 10.0.30.0/24 table 100 add 10.0.40.0/24 table 100 add 192.168.11.11 table 101 flush table 101 add 10.0.10.0/27 table 101 add 192.168.22.22 table 120 flush table 120 add 10.0.10.1 table 120 add 10.0.20.1 table 120 add 10.0.30.1 table 120 add 192.168.33.33 table 120 add 192.168.11.11 table 120 add 192.168.22.22 table 121 flush table 121 add 10.0.20.1 table 121 add 10.0.30.1 table 121 add 10.0.40.1 table 121 add 192.168.11.11 table 122 flush table 122 add 10.0.10.1 table 122 add 192.168.33.33 table 122 add 192.168.22.22 # # PIPES and QUEUES # -f pipe flush # bw A - in 1/out 2 pipe 1 config bw 4500kbits/s queue 1 config pipe 1 weight 10 mask dst-ip 0xffffffff pipe 2 config bw 200kbits/s mask src-ip 0xffffffff # bw B - in 3/out 4 pipe 3 config bw 1000kbits/s queue 3 config pipe 3 weight 10 mask dst-ip 0xffffffff pipe 4 config bw 1000kbits/s queue 4 config pipe 4 weight 10 mask src-ip 0xffffffff # external interface 1 (em1) - 11 in/12 out pipe 11 config bw 95Mbits/s queue 100 queue 11 config pipe 11 weight 10 mask dst-ip 0xffffffff queue 100 pipe 12 config bw 95Mbits/s queue 100 queue 12 config pipe 12 weight 10 mask src-ip 0xffffffff queue 100 # external interface 2 (bge0) - 21 in/22 out pipe 21 config bw 95Mbits/s queue 100 queue 21 config pipe 21 weight 10 mask dst-ip 0xffffffff queue 100 pipe 22 config bw 95Mbits/s queue 100 queue 22 config pipe 22 weight 10 mask src-ip 0xffffffff queue 100 ### # # Shaping - check order: Metro / Special / A / B (3 in, 3 out) # ### # em1 - ext 1 shaping - 20000/20500 add 20000 queue 11 ip from table(1) to any add 20005 queue 11 ip from table(2) to any add 20010 queue 1 ip from any to table(100) add 20010 queue 3 ip from any to table(101) add 20499 allow ip from any to any # only shape locally-generated traffic here, # the rest is matched on entry [em0] add 20500 queue 12 ip from table(120) to table(1) add 20505 queue 12 ip from table(120) to table(2) add 20510 pipe 2 ip from table(121) to any add 20515 queue 4 ip from table(122) to any add 20999 allow ip from any to any # bge0 - ext 2 shaping - 21000/21500 add 21000 queue 21 ip from table(1) to any add 21005 queue 21 ip from table(2) to any add 21010 queue 1 ip from any to table(100) add 21015 queue 3 ip from any to table(101) add 21499 allow ip from any to any # same as external 1, only locally generated add 21500 queue 22 ip from table(120) to table(1) add 21505 queue 22 ip from table(120) to table(2) add 21510 pipe 2 ip from table(121) to any add 21515 queue 4 ip from table(122) to any add 21999 allow ip from any to any # em0 - internal # from internal to internal - no limit - yay for gigabit add 22000 allow ip from table(10) to table(10) add 22005 allow ip from table(10) to 127.0.0.1 # from internal to "external" but it goes to the proxy on this machine - don't double shape add 22050 allow tcp from table(10) to any 80 add 22055 allow tcp from table(10) to 127.0.0.1 8000 ## special - from any source packets will be routed out external 1 so count in that queue add 22100 queue 12 ip from any to table(2) ## metro - some sources are counted against external 1, others against external 2 add 22105 queue 12 ip from table(11) to table(1) add 22110 queue 22 ip from table(12) to table(1) # non-metro, go to slow pipes add 22115 pipe 2 ip from table(100) to any add 22120 queue 4 ip from table(101) to any # this rule should always have its counters at 0 or something's missing above add 22499 allow ip from any to any # DO NOT EDIT BELOW THIS LINE! - AUTO GENERATED add 100 skipto 1000 ip from 10.0.10.0/27 to any add 101 skipto 1100 ip from 10.0.20.0/24 to any add 102 skipto 1200 ip from 10.0.30.0/24 to any add 103 skipto 1300 ip from 10.0.40.0/24 to any add 1000 skipto 2000 ip from 10.0.10.0/29 to any add 1001 skipto 2100 ip from 10.0.10.8/29 to any add 1002 skipto 2200 ip from 10.0.10.16/29 to any add 1003 skipto 2300 ip from 10.0.10.24/29 to any add 1100 skipto 2400 ip from 10.0.20.0/28 to any add 1101 skipto 2500 ip from 10.0.20.16/28 to any add 1102 skipto 2600 ip from 10.0.20.32/28 to any add 1103 skipto 2700 ip from 10.0.20.48/28 to any add 1104 skipto 2800 ip from 10.0.20.64/28 to any add 1105 skipto 2900 ip from 10.0.20.80/28 to any add 1106 skipto 3000 ip from 10.0.20.96/28 to any add 1107 skipto 3100 ip from 10.0.20.112/28 to any add 1108 skipto 3200 ip from 10.0.20.128/28 to any add 1109 skipto 3300 ip from 10.0.20.144/28 to any add 1110 skipto 3400 ip from 10.0.20.160/28 to any add 1111 skipto 3500 ip from 10.0.20.176/28 to any add 1112 skipto 3600 ip from 10.0.20.192/28 to any add 1113 skipto 3700 ip from 10.0.20.208/28 to any add 1114 skipto 3800 ip from 10.0.20.224/28 to any add 1115 skipto 3900 ip from 10.0.20.240/28 to any add 1200 skipto 4000 ip from 10.0.30.0/28 to any add 1201 skipto 4100 ip from 10.0.30.16/28 to any add 1202 skipto 4200 ip from 10.0.30.32/28 to any add 1203 skipto 4300 ip from 10.0.30.48/28 to any add 1204 skipto 4400 ip from 10.0.30.64/28 to any add 1205 skipto 4500 ip from 10.0.30.80/28 to any add 1206 skipto 4600 ip from 10.0.30.96/28 to any add 1207 skipto 4700 ip from 10.0.30.112/28 to any add 1208 skipto 4800 ip from 10.0.30.128/28 to any add 1209 skipto 4900 ip from 10.0.30.144/28 to any add 1210 skipto 5000 ip from 10.0.30.160/28 to any add 1211 skipto 5100 ip from 10.0.30.176/28 to any add 1212 skipto 5200 ip from 10.0.30.192/28 to any add 1213 skipto 5300 ip from 10.0.30.208/28 to any add 1214 skipto 5400 ip from 10.0.30.224/28 to any add 1215 skipto 5500 ip from 10.0.30.240/28 to any add 1300 skipto 5600 ip from 10.0.40.0/28 to any add 1301 skipto 5700 ip from 10.0.40.16/28 to any add 1302 skipto 5800 ip from 10.0.40.32/28 to any add 1303 skipto 5900 ip from 10.0.40.48/28 to any add 1304 skipto 6000 ip from 10.0.40.64/28 to any add 1305 skipto 6100 ip from 10.0.40.80/28 to any add 1306 skipto 6200 ip from 10.0.40.96/28 to any add 1307 skipto 6300 ip from 10.0.40.112/28 to any add 1308 skipto 6400 ip from 10.0.40.128/28 to any add 1309 skipto 6500 ip from 10.0.40.144/28 to any add 1310 skipto 6600 ip from 10.0.40.160/28 to any add 1311 skipto 6700 ip from 10.0.40.176/28 to any add 1312 skipto 6800 ip from 10.0.40.192/28 to any add 1313 skipto 6900 ip from 10.0.40.208/28 to any add 1314 skipto 7000 ip from 10.0.40.224/28 to any add 1315 skipto 7100 ip from 10.0.40.240/28 to any add 104 deny ip from any to any add 1099 deny ip from any to any add 1199 deny ip from any to any add 1299 deny ip from any to any add 1399 deny ip from any to any add 2099 deny ip from any to any add 2199 deny ip from any to any add 2299 deny ip from any to any add 2399 deny ip from any to any add 2499 deny ip from any to any add 2599 deny ip from any to any add 2699 deny ip from any to any add 2799 deny ip from any to any add 2899 deny ip from any to any add 2999 deny ip from any to any add 3099 deny ip from any to any add 3199 deny ip from any to any add 3299 deny ip from any to any add 3399 deny ip from any to any add 3499 deny ip from any to any add 3599 deny ip from any to any add 3699 deny ip from any to any add 3799 deny ip from any to any add 3899 deny ip from any to any add 3999 deny ip from any to any add 4099 deny ip from any to any add 4199 deny ip from any to any add 4299 deny ip from any to any add 4399 deny ip from any to any add 4499 deny ip from any to any add 4599 deny ip from any to any add 4699 deny ip from any to any add 4799 deny ip from any to any add 4899 deny ip from any to any add 4999 deny ip from any to any add 5099 deny ip from any to any add 5199 deny ip from any to any add 5299 deny ip from any to any add 5399 deny ip from any to any add 5499 deny ip from any to any add 5599 deny ip from any to any add 5699 deny ip from any to any add 5799 deny ip from any to any add 5899 deny ip from any to any add 5999 deny ip from any to any add 6099 deny ip from any to any add 6199 deny ip from any to any add 6299 deny ip from any to any add 6399 deny ip from any to any add 6499 deny ip from any to any add 6599 deny ip from any to any add 6699 deny ip from any to any add 6799 deny ip from any to any add 6899 deny ip from any to any add 6999 deny ip from any to any add 7099 deny ip from any to any add 7199 deny ip from any to any # This comment doesn't exist in the original file. # A few hundred lines below have been deleted, but you should get the idea. # Note rule numbers aren't in order, they depend on how the IP # addresses are pulled out of the DB add 2004 pass ip from 10.0.10.4 to any mac any 00:de:ad:be:ef:01 add 2201 pass ip from 10.0.10.17 to any mac any 00:de:ad:be:ef:ff add 2206 pass ip from 10.0.10.22 to any mac any 00:de:ad:be:ef:cd add 2412 pass ip from 10.0.20.12 to any mac any 00:de:ad:be:ef:c3 add 2415 pass ip from 10.0.20.15 to any mac any 00:de:ad:be:ef:25 add 2515 pass ip from 10.0.20.31 to any mac any 00:de:ad:be:ef:7d add 2604 pass ip from 10.0.20.36 to any mac any 00:de:ad:be:ef:97 add 2702 pass ip from 10.0.20.50 to any mac any 00:de:ad:be:ef:15 add 2705 pass ip from 10.0.20.53 to any mac any 00:de:ad:be:ef:0d add 2802 pass ip from 10.0.20.66 to any mac any 00:de:ad:be:ef:a6 add 2905 pass ip from 10.0.20.85 to any mac any 00:de:ad:be:ef:de add 3012 pass ip from 10.0.20.108 to any mac any 00:de:ad:be:ef:c7 add 3015 pass ip from 10.0.20.111 to any mac any 00:de:ad:be:ef:a3 add 3201 pass ip from 10.0.20.129 to any mac any 00:de:ad:be:ef:d8 add 3207 pass ip from 10.0.20.135 to any mac any 00:de:ad:be:ef:5b add 3304 pass ip from 10.0.20.148 to any mac any 00:de:ad:be:ef:bb add 3307 pass ip from 10.0.20.151 to any mac any 00:de:ad:be:ef:f5 add 3407 pass ip from 10.0.20.167 to any mac any 00:de:ad:be:ef:5c add 3410 pass ip from 10.0.20.170 to any mac any 00:de:ad:be:ef:0b add 3513 pass ip from 10.0.20.189 to any mac any 00:de:ad:be:ef:cd add 3600 pass ip from 10.0.20.192 to any mac any 00:de:ad:be:ef:85 add 3702 pass ip from 10.0.20.210 to any mac any 00:de:ad:be:ef:21 add 3706 pass ip from 10.0.20.214 to any mac any 00:de:ad:be:ef:4c add 3806 pass ip from 10.0.20.230 to any mac any 00:de:ad:be:ef:08 add 3809 pass ip from 10.0.20.233 to any mac any 00:de:ad:be:ef:fc add 4002 pass ip from 10.0.30.2 to any mac any 00:de:ad:be:ef:1e add 4005 pass ip from 10.0.30.5 to any mac any 00:de:ad:be:ef:86 add 4102 pass ip from 10.0.30.18 to any mac any 00:de:ad:be:ef:55 add 4206 pass ip from 10.0.30.38 to any mac any 00:de:ad:be:ef:fe add 4303 pass ip from 10.0.30.51 to any mac any 00:de:ad:be:ef:e0 add 4306 pass ip from 10.0.30.54 to any mac any 00:de:ad:be:ef:7a add 4405 pass ip from 10.0.30.69 to any mac any 00:de:ad:be:ef:e5 add 4410 pass ip from 10.0.30.74 to any mac any 00:de:ad:be:ef:bd add 4510 pass ip from 10.0.30.90 to any mac any 00:de:ad:be:ef:6d add 4700 pass ip from 10.0.30.112 to any mac any 00:de:ad:be:ef:8d add 4802 pass ip from 10.0.30.130 to any mac any 00:de:ad:be:ef:cd add 4912 pass ip from 10.0.30.156 to any mac any 00:de:ad:be:ef:48 add 5010 pass ip from 10.0.30.170 to any mac any 00:de:ad:be:ef:52 add 5014 pass ip from 10.0.30.174 to any mac any 00:de:ad:be:ef:36 add 5113 pass ip from 10.0.30.189 to any mac any 00:de:ad:be:ef:56 add 5407 pass ip from 10.0.30.231 to any mac any 00:de:ad:be:ef:b4 add 5508 pass ip from 10.0.30.248 to any mac any 00:de:ad:be:ef:5d add 5511 pass ip from 10.0.30.251 to any mac any 00:de:ad:be:ef:68 add 5714 pass ip from 10.0.40.30 to any mac any 00:de:ad:be:ef:81 add 5801 pass ip from 10.0.40.33 to any mac any 00:de:ad:be:ef:15 add 7015 pass ip from 10.0.40.239 to any mac any 00:de:ad:be:ef:3e add 7103 pass ip from 10.0.40.243 to any mac any 00:de:ad:be:ef:b1 add 2508 pass ip from 10.0.20.24 to any mac any 00:de:ad:be:ef:95 add 2603 pass ip from 10.0.20.35 to any mac any 00:de:ad:be:ef:d0 add 3607 pass ip from 10.0.20.199 to any mac any 00:de:ad:be:ef:20 add 3705 pass ip from 10.0.20.213 to any mac any 00:de:ad:be:ef:6e add 5006 pass ip from 10.0.30.166 to any mac any 00:de:ad:be:ef:f7 add 5208 pass ip from 10.0.30.200 to any mac any 00:de:ad:be:ef:15 add 7008 pass ip from 10.0.40.232 to any mac any 00:de:ad:be:ef:7d add 7102 pass ip from 10.0.40.242 to any mac any 00:de:ad:be:ef:bb add 7114 pass ip from 10.0.40.254 to any mac any 00:de:ad:be:ef:30 set enable 0 delete set 1 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf.txt" ext_if0="em1" ext_if1="bge0" ext_ifaces="{em1, bge0}" int_if="em0" internal_net_1="10.0.10.0/27" internal_ip0="10.0.10.1" internal_net_2="10.0.20.0/24" internal_ip1="10.0.20.1" internal_net_3="10.0.30.0/24" internal_ip2="10.0.30.1" internal_net_4="10.0.40.0/24" internal_ip3="10.0.40.1" external_ip0="192.168.11.11" external_ip1="192.168.22.22" external1_ip="192.168.33.33" external_router="192.168.11.1" external_router1="192.168.22.1" localhost="127.0.0.1" set timeout { tcp.closing 600, tcp.finwait 30, tcp.closed 60 } set limit { states 50000, frags 15000 } set skip on lo0 table { 10.0.10.1, 10.0.20.1, 10.0.30.1, 10.0.40.1, 192.168.11.11, 192.168.22.22, 192.168.33.33} persist table { 10.0.10.1, 10.0.30.1, 10.0.20.1, 10.0.40.1 } table { 10.0.10.0/27, 10.0.30.0/24, 10.0.20.0/24, 10.0.40.0/24 } table persist table persist table { 10.0.30.123 } persist # Prevent UCE issues - no outgoing SMTP from these table persist { 10.0.30.0/24, 10.0.40.0/24, 10.0.20.14, 10.0.20.20, 10.0.20.200 } table persist {10.0.30.30, 10.0.30.130, 10.0.40.40, 10.0.40.140} table { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.0/30 } # users with malware, force them to clean up - redirect to "call us" page table persist file "/etc/ip-force-clean" # force-clean rdr on $int_if proto tcp from to any port 80 -> $localhost port 81 rdr on $int_if proto tcp from to port 8000 -> $localhost port 81 no rdr on $int_if proto tcp from any to port 80 no rdr on $int_if proto tcp from to any port 80 no rdr on $int_if proto tcp from any to port 80 no rdr on $int_if proto tcp from any to port 80 rdr on $int_if proto tcp from any to any port 80 -> $localhost port 8000 ## oops, this is really old here, keeping it just for the sake of full reporting anchor "temptest" # malware gets no traffic from the outside block in quick on $ext_if0 from any to block in quick on $ext_if1 from any to # this server block in log from any to pass out from to any keep state # public services pass in log proto icmp from any to pass in log proto tcp from any to port 53 keep state pass in proto udp from any to port 53 keep state pass in log proto tcp from any to port 80 keep state pass in log proto tcp from any to port 443 keep state # ssh - this server and 10.0.10.12 are restricted pass in log proto tcp from to port 22 keep state label "ssh" block in log proto tcp from any to 10.0.10.12 port 22 pass in log proto tcp from to 10.0.10.12 port 22 keep state label "ssh" pass in log proto tcp from to 10.0.10.12 port 22 keep state label "ssh" # allow access to the proxy pass in proto tcp from to port 8000 keep state pass in proto tcp from to $localhost port 8000 keep state # port 25 policy - a bit hairy pass in log proto tcp from any to any port = 25 keep state pass in quick log proto tcp from to any port = 25 keep state pass in quick log proto tcp from 10.0.10.28 to 10.0.10.1 port = 25 keep state #block side block in quick log proto tcp from to any port = 25 block in quick log proto tcp from to any port = 25 # Policy routing # first rule commented for the last 3 months # pass out on $ext_if0 route-to ($ext_if1 $external_router1) from $internal_net_1 to ! keep state pass out on $ext_if0 fastroute from $internal_net_1 to keep state pass in on $int_if fastroute from $internal_net_1 to $localhost keep state pass out on $ext_if0 route-to ($ext_if1 $external_router1) from $internal_net_2 to ! keep state pass out on $ext_if0 fastroute from $internal_net_2 to keep state pass in on $int_if fastroute from $internal_net_2 to $localhost keep state pass in on $int_if fastroute from $internal_net_3 to $localhost keep state pass in on $int_if fastroute from $internal_net_4 to $localhost keep state # Explanation for the rules above: # # Net 1 used to be routed via external1, but it's no longer the case (only half of its policy routing is commented out). # # Most net 2 traffic goes out via external1 interface, except localhost (transparent proxy causes localhost traffic) and # traffic to "special" which should use the normal route - hence the "fastroute". # force-clean -> warning, plus ping and DNS block in on $int_if from to any pass in on $int_if proto tcp from to $localhost port 81 keep state pass in on $int_if proto icmp from to pass in on $int_if proto udp from to port 53 pass in on $int_if proto tcp from to port 53 # just a good idea block in proto udp from any to any port 137:139 block in proto tcp from any to any port 137:139 block in proto tcp from any to any port 135 block in proto tcp from any to any port 445 block in proto udp from any to any port 1434 block in proto udp from any to any port 1433 --4Ckj6UjgE2iN1+kY--