View Single Post
  #5   (View Single Post)  
Old 8th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  1. These two rules are in the wrong place, they appear before your Options section. If they were supposed to apply, they are negated by your very first rule in your filtering section, which is "block all":
    Code:
    pass out
    pass in keep state (max-src-conn 50, max-src-conn-rate 50/5, overload <brute> flush global)
    Remember how filter rules function: Without "quick", the last matching rule wins. And,avoid using "quick", if you can, as any time a quick rule matches, no futher packet matching is done.
  2. This appears to be an end-system firewall as only an external NIC is mentioned in your rules.
  3. If no previous "quick" rule has inadvertently matched, then this is the last rule that will match an inbound TCP session for a local daemon listening on your single NIC to TCP port 5524:
    Code:
    pass in on $ext_if inet proto tcp  from any  to any port $tcp_pass flags S/SA keep state
    The subsequent pass out rules will not apply, as PF will use the existing state table for the entire time the TCP session remains established.
  4. The most effective way to analyze your rule set is to watch it perform, using pflogd(8) and the pflog(4) facility with a network monitoring tool such as tcpdump(1). You'll need to add the log option to the rules you want to track, of course. This particular rule does not have the $logopt macro in it.
Reply With Quote