View Single Post
  #2   (View Single Post)  
Old 10th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You can define a simple default policy to block all traffic. Then you tag the allowed traffic. Only let this pass in (on the internal interface) and out on the external one.
Code:
# cat test.pf

ext_if = bge0
int_if = re0


TCP_services="{ www whois}"
UDP_services="{ domain ntp }"

nat on $ext_if tagged OUT_OK  -> $ext_if

block log (all)

pass out quick on $ext_if tagged OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK
A test load shows how these rules expand
Code:
ext_if = "bge0"
int_if = "re0"
TCP_services = "{ www whois}"
UDP_services = "{ domain ntp }"
@0 nat on bge0 inet all tagged OUT_OK -> 192.168.222.20
@0 block drop log (all) all
@1 pass out quick on bge0 all flags S/SA keep state tagged OUT_OK
@2 pass in quick on re0 inet proto tcp from any to any port = www flags S/SA keep state tag OUT_OK
@3 pass in quick on re0 inet proto tcp from any to any port = whois flags S/SA keep state tag OUT_OK
@4 pass in quick on re0 inet proto udp from any to any port = domain keep state tag OUT_OK
@5 pass in quick on re0 inet proto udp from any to any port = ntp keep state tag OUT_OK
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote