View Single Post
  #3   (View Single Post)  
Old 19th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Heather .... I'm going to make a guess that what you have is an OpenBSD end-point server -- it does no routing of packets elsewhere, and all you want PF to do is block all traffic for anything except TCP traffic to port 7008. If so, then perhaps this silly little 3 line pf.conf will suffice:
Code:
interface = "rl0"
block all
pass in on $interface proto tcp from any to any port 7008
You could do away with the $interface macro and use rl0 in the pass rule, and have only two lines. The purpose of macros is for easy change when moving to different computers, adding interfaces, changing fixed addresses, etc.

The first rule is a block all. All packets evaluate for true, in all directions, and all traffic is blocked.

The second rule is a pass for all traffic from anywhere to anywhere that is destined for port 7008. Now, obviously, the only inbound traffic will be destined for this server, since it is not a router and does not forward anything. So all inbound traffic for destination port 7008 will match and be passed. TCP traffic is "stateful", and the default on TCP traffic is to "keep state" so PF will pass all outbound traffic back to the originator without needed any new rules, as long as the TCP session remains active. Once the state terminates, no outbound traffic will be permitted.

Hope this helps. I recommend a careful review of the PF Users Guide, which is part of the OpenBSD FAQ. I also recommend Peter Hansteen's The Book of PF.
Reply With Quote