From owner-freebsd-questions@FreeBSD.ORG  Fri Jan 22 09:45:20 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B77CA1065670
	for <freebsd-questions@freebsd.org>;
	Fri, 22 Jan 2010 09:45:20 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 6F15A8FC1A
	for <freebsd-questions@freebsd.org>;
	Fri, 22 Jan 2010 09:45:19 +0000 (UTC)
Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127])
	by mail.locolomo.org (Postfix) with ESMTPSA id 1C7B01C1A67;
	Fri, 22 Jan 2010 10:45:18 +0100 (CET)
Message-ID: <4B5973AD.8070603@locolomo.org>
Date: Fri, 22 Jan 2010 10:45:17 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: kalin m <kalin@el.net>
References: <4B594FC0.3010200@el.net>
In-Reply-To: <4B594FC0.3010200@el.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: pf rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 09:45:20 -0000

kalin m wrote:
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
> 
> set skip on lo
> scrub in
> 
> antispoof for eth0 inet
> 
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh

To debug pf rules:

- always add direction to the rule, pass or block, add interface to all
   rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch pflog to see which rule blocks or
   passes traffic.
- use keyword quick for any decisive rule
- check the parsing of your ruleset, pfctl -sr

then come back and ask for help.

BR, Erik


-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org