From owner-freebsd-pf@FreeBSD.ORG Tue Jul 11 08:32:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA1216A549 for ; Tue, 11 Jul 2006 08:32:14 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51AF243DE6 for ; Tue, 11 Jul 2006 08:32:10 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1G0Df2-000I4n-5V; Tue, 11 Jul 2006 12:32:04 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 11 Jul 2006 12:29:17 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF firewall rules Thread-Index: Acakr9GeGxEvjJQRSveC5+xjjJy5SgAExwCQ From: "Dmitry Andrianov" To: "Michael Vince" Cc: freebsd-pf@freebsd.org Subject: RE: PF firewall rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 08:32:14 -0000 Hi. > >Why can't you filter incoming packets as they come on internal > >interface? IMHO it is more natural because you stop unwanted traffic > >early.. > > =20 > > > So your saying that to stop packets going *out* its more "natural" to=20 > type up a *block in* firewall rule to achieve the desired result, I=20 > think its is a hard point of view to argue, and this was=20 > something that=20 > was never needed with IPFilter and is probably one of its better=20 > remaining features over PF. It only depends on your personal preferences - I used IPFilter for about 4 years before switching to pf and I was using exactly the same approach there - the "pass out ... keep state" used to allow all outbound traffic while routed was making its decisions solely on inbound packets. > So to block to block IP 192.168.1.17 from connecting *out* to=20 > anything=20 > on the internet I have to use a "block in" statement and there is no=20 > other way of doing this rule? > block in quick on $int_if proto { tcp, udp, icmp } from=20 > 192.168.1.17 to any Even block in quick on $int_if from 192.168.1.17 to any Why not? If you need allow this host connecting to gateway itself, you may use "pass in quick" rules before that one. Or vice versa - you can use block in on $int_if from 192.168.1.17 to any (without "quick") and then allow only some destinations/protocols. And finally you can tag your packets and then decide whenever to pass that packet on not based on tags. Regards, Dmitry Andrianov