Date: Tue, 24 Mar 2009 10:13:03 -0600 (MDT) From: "Peter" <fbsdq@peterk.org> To: "Glen Barber" <glen.j.barber@gmail.com> Cc: Eric Magutu <emagutu@gmail.com>, freebsd-pf@freebsd.org Subject: Re: first firewall with pf Message-ID: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net>
next in thread | raw e-mail | index | archive | help
> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu <emagutu@gmail.com> wrote: > [snip] >> >> ########################## >> #block all other traffic # >> ########################## >> >> # should be last rule >> >> block in quick on $ext_if all >> >> > > This should not be the last rule. PF implements the rules in a > top-down fashion, where the last rule always wins. Without actually > loading this ruleset on my own system, it appears this rule will block > all incoming / outgoing traffic completely. > > This rule should be placed above all of your 'pass' rules. > > > -- > Glen Barber Notice he has the 'quick' keyword in all his rules - Placing this rule on top will 'quick' block everyone without parsing any other rules. rules ~should~ be: block all pass out keep state block quick proto tcp from ZZ to port XX pass in proto tcp port XX keep state pass in proto tcp port YY keep state this will allow outbound everything allow inbound only on ports XX,YY except from ZZ all other packets will match rule 'block all' ]Peter[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53529.216.241.167.212.1237911183.squirrel>