here's my pf ruleset:
Code:
# vi /etc/pf.conf
table <internet> { 0.0.0.0/0 }
tcp_services = "{ ssh, www, http, https, domain, auth, 1863, 21, 20, 25, 110, 143, 465, 993, 995, 3724, 6112, 1119, 1700, 25565 }"
udp_services = "{ domain }"
intern_ip = "192.168.2.0/24"
dns_ip = "{ 195.238.2.21, 195.238.2.22}"
rapidshare_ip = "{ 195.122.131.0/24, 62.67.50.0/24, 212.162.2.0/24, 62.140.7.0/24, 130.117.156.250}"
firewall_ip = "{192.168.2.1, 127.0.0.1}"
ext_if = "dc0"
int_if = "rl0"
loc_if = "lo0"
#NAT
nat pass on $ext_if from $int_if:network to any -> $ext_if
pass in quick on $loc_if from $firewall_ip
pass out quick on $loc_if from $firewall_ip
block all
#block rps
block in quick on $int_if inet proto tcp from $intern_ip to $rapidshare_ip
#default tcp traffic
pass in quick on $int_if inet proto tcp from $intern_ip to any port $tcp_services
pass out quick on $ext_if inet proto tcp from $ext_if to any port $tcp_services
#to darkstat page
pass in quick on $int_if inet proto tcp from $intern_ip to $firewall_ip port 667
#dns
pass in quick on $int_if inet proto udp from $intern_ip to $dns_ip port "domain"
pass out quick on $ext_if inet proto udp from $ext_if to $dns_ip port "domain"
#ssh to firewall
pass in quick on $int_if inet proto tcp from $intern_ip to $ext_if port 22
#ping
pass in quick on $int_if inet proto icmp from $intern_ip to any icmp-type "echoreq"
pass out quick on $int_if inet proto icmp from $intern_ip to any icmp-type "echoreq"
yet still (
http://img542.imageshack.us/i/113v.jpg/) people are using ports that should be closed.
i am quite certain this is done by using torrents.
also i installed a dnsspoofer which blocks all url's containing the word *tracker* so torrents should be blocked by pf ánd by dnsspoof..