View Single Post
  #5   (View Single Post)  
Old 24th December 2011
mikygee mikygee is offline
Port Guard
 
Join Date: Oct 2011
Posts: 15
Default

Hello,

First thank you for your answers.

I got confused when I read the word dynamic.
From what I understand now is that you use anchors when you want to add a rule without reloading all the rules. I understood previously that pfctl would create new rules if a condition is matched (if I go on a certain IPDest/PortDest, it add rule X)

From what you wrote previously:
1) On your work station, you give a very limited access to external ftp sites and you use tables=> Ideally I would like to have access to any site
2) The anchors method that you used requires a manual action, it's kind of dynamic but I can't say it is in my dream scenario that I wrote above =)

Reading your pf configuration, I have another question. What is the difference between portfirst/last and porthifirst/last ?
Trust me, I already read man 3 sysctl before asking the question and the trees are still hiding the forest.

It says
Quote:
ip.portfirst
Minimum registered port number for TCP/UDP port
allocation. Registered ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 1024 or greater than 49151. Must be
less than ip.portlast.

ip.porthifirst
Minimum dynamic/private port number for TCP/UDP port
allocation. Dynamic/private ports can be used by
ordinary user processes or programs executed by ordinary
users. Cannot be less than 49152 or greater than 65535.
Must be less than ip.porthilast.
The only difference is that they talk about registered ports in the first statement and dynamic/private in the second statement.

When my OpenBSD is going to do an http or ftp request, it's going to use the hi port, correct ?
In which case, would it use the range 1024-49151 then ?

Merry Christmas
Reply With Quote