Date: Tue, 11 Jul 2006 18:55:32 -0500 From: "Travis H." <solinym@gmail.com> To: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF firewall rules Message-ID: <d4f1333a0607111655m32d407dbq52e144f6a82c4dc0@mail.gmail.com> In-Reply-To: <fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com> References: <D5972F49810A69449A9EA72A4B360DC2D0A38F@e1.universe.dart.spb> <44B339D6.7090401@thebeastie.org> <fee88ee40607102348w3bd6c7caj2b0b9bea6387b26b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/11/06, Kian Mohageri <kian.mohageri@gmail.com> wrote:
> I'm not sure if I'm understanding you correctly, but if having the direction
> in the rule is confusing to you, you can leave it out:
>
> block quick on $int_If proto { tcp, udp, icmp } from 192.168.1.17 to any
Better yet, drop the "on $int_if", since if the 192.168/16 block is
allocated to LAN hosts, you probably don't want to allow it in on any
other interface, either. And why enumerate TCP, UDP, ICMP? Are you
trying to allow IGMP from this host? What you don't know can hurt
you! I say drop the protocol specification too. This simplfies your
rule to:
block quick from 192.168.1.17 to any
See? Using lists causes several rules to be created, so as well as
being simpler, this is more efficient too.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0607111655m32d407dbq52e144f6a82c4dc0>