From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 11 23:56:07 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5747816A4DD
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 23:56:07 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 951BB43D45
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 23:56:06 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by py-out-1112.google.com with SMTP id c63so31474pyc
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 16:55:32 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=pM/y9HxGE+iIZfWhvtNRxMm7ii0MSVW2kHVd7UeDjq+/0tHJNaWLEls81wr5cpLj6zAPiTXtwNTFFx10OlfqzsT17+8O2Kh5VDmte0AyKscik5+WvWkRZRrk024pJL+Z4qPHV/VN/Nb9zb+wICrgrBnBHk8LpwmADmd6K4/Orm8=
Received: by 10.35.129.19 with SMTP id g19mr154627pyn;
	Tue, 11 Jul 2006 16:55:32 -0700 (PDT)
Received: by 10.35.34.3 with HTTP; Tue, 11 Jul 2006 16:55:32 -0700 (PDT)
Message-ID: <d4f1333a0607111655m32d407dbq52e144f6a82c4dc0@mail.gmail.com>
Date: Tue, 11 Jul 2006 18:55:32 -0500
From: "Travis H." <solinym@gmail.com>
To: "Kian Mohageri" <kian.mohageri@gmail.com>
In-Reply-To: <fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <D5972F49810A69449A9EA72A4B360DC2D0A38F@e1.universe.dart.spb>
	<44B339D6.7090401@thebeastie.org>
	<fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: PF firewall rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2006 23:56:07 -0000

On 7/11/06, Kian Mohageri <kian.mohageri@gmail.com> wrote:
> I'm not sure if I'm understanding you correctly, but if having the direction
> in the rule is confusing to you, you can leave it out:
>
> block quick on $int_If proto { tcp, udp, icmp } from 192.168.1.17 to any

Better yet, drop the "on $int_if", since if the 192.168/16 block is
allocated to LAN hosts, you probably don't want to allow it in on any
other interface, either.  And why enumerate TCP, UDP, ICMP?  Are you
trying to allow IGMP from this host?  What you don't know can hurt
you!  I say drop the protocol specification too.  This simplfies your
rule to:

block quick from 192.168.1.17 to any

See?  Using lists causes several rules to be created, so as well as
being simpler, this is more efficient too.
-- 
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484