Date: Tue, 11 Jul 2006 18:55:32 -0500 From: "Travis H." <solinym@gmail.com> To: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF firewall rules Message-ID: <d4f1333a0607111655m32d407dbq52e144f6a82c4dc0@mail.gmail.com> In-Reply-To: <fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com> References: <D5972F49810A69449A9EA72A4B360DC2D0A38F@e1.universe.dart.spb> <44B339D6.7090401@thebeastie.org> <fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/11/06, Kian Mohageri <kian.mohageri@gmail.com> wrote: > I'm not sure if I'm understanding you correctly, but if having the direction > in the rule is confusing to you, you can leave it out: > > block quick on $int_If proto { tcp, udp, icmp } from 192.168.1.17 to any Better yet, drop the "on $int_if", since if the 192.168/16 block is allocated to LAN hosts, you probably don't want to allow it in on any other interface, either. And why enumerate TCP, UDP, ICMP? Are you trying to allow IGMP from this host? What you don't know can hurt you! I say drop the protocol specification too. This simplfies your rule to: block quick from 192.168.1.17 to any See? Using lists causes several rules to be created, so as well as being simpler, this is more efficient too. -- Resolve is what distinguishes a person who has failed from a failure. Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0607111655m32d407dbq52e144f6a82c4dc0>