Date: Mon, 21 Jul 2008 12:48:23 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF and blocking of some ports Message-ID: <200807211248.23181.max@love2party.net> In-Reply-To: <E1KKrMR-000LUN-ID@ffe4.ukr.net> References: <E1KKrMR-000LUN-ID@ffe4.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote:
> Hi,
>
> =A0I have question about blocking some ports for LAN users.
>
> =A0Below a part of my pf.conf:
>
>
> nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP ->
> $ext_if:0
>
> pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP
> pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp
> 53
>
>
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if
> port !=3D25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp
> udp} from $LAN to $int_if port 53
>
>
> All works fine. But when I wish block not only 25 port and 5190 or some
> others ports, blocking does not occur. And I can connect to 25 port to
> any host in Internet from any computer in local network.
>
> Rules, which I try to use:
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if
> port {!=3D25 !=3D5190} tag LAN_INET_TCP_UDP
>
> Please, tell me where is my mistake?
The above will expand to 4 rules:
pass quick ... tcp ... to !int_if port !=3D 25 ...
pass quick ... udp ... to !int_if port !=3D 25 ...
pass quick ... tcp ... to !int_if port !=3D 5190 ...
pass quick ... udp ... to !int_if port !=3D 5190 ...
It should be obvious that the first rule will allow tcp traffic to port=20
5190 and the third to port 25.
In general you should rather block unwanted traffic explicitly.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807211248.23181.max>