Thread: pf config error
View Single Post
  #5   (View Single Post)  
Old 3rd September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
  
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default
Code:
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
consider,

Code:
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if inet proto tcp \
 from !<blockedip> to ($ext_if) port ssh flags S/SA synproxy state
pass in on $ext_if inet proto udp \
 from !<blockedip> to ($ext_if) port domain
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port domain flags S/SA synproxy state
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port http flags S/SA synproxy state
Among the alternatives to consider, "($ext_if)" is far better then "any."
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote