From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 10:48:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E175F1065678 for ; Mon, 21 Jul 2008 10:48:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 678B38FC0C for ; Mon, 21 Jul 2008 10:48:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-048-174.pools.arcor-ip.net [88.66.48.174]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KKswK08ip-0000gZ; Mon, 21 Jul 2008 12:48:24 +0200 Received: (qmail 76558 invoked from network); 21 Jul 2008 10:48:23 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 21 Jul 2008 10:48:23 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 21 Jul 2008 12:48:23 +0200 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200807211248.23181.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Y3oET8dcv6gl4G31xJZIhrNrDmsnqtqn61hg 7YppIyuKS8pdUXrlMNN2vPk3BgWnPmOaz6rKzvkxHU38UFquga NG11LpshKjzWEnfUm6sZA== Cc: Subject: Re: PF and blocking of some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 10:48:27 -0000 On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote: > Hi, > > =A0I have question about blocking some ports for LAN users. > > =A0Below a part of my pf.conf: > > > nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP -> > $ext_if:0 > > pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP > pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp > 53 > > > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port !=3D25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp > udp} from $LAN to $int_if port 53 > > > All works fine. But when I wish block not only 25 port and 5190 or some > others ports, blocking does not occur. And I can connect to 25 port to > any host in Internet from any computer in local network. > > Rules, which I try to use: > pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if > port {!=3D25 !=3D5190} tag LAN_INET_TCP_UDP > > Please, tell me where is my mistake? The above will expand to 4 rules: pass quick ... tcp ... to !int_if port !=3D 25 ... pass quick ... udp ... to !int_if port !=3D 25 ... pass quick ... tcp ... to !int_if port !=3D 5190 ... pass quick ... udp ... to !int_if port !=3D 5190 ... It should be obvious that the first rule will allow tcp traffic to port=20 5190 and the third to port 25. In general you should rather block unwanted traffic explicitly. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News