View Single Post
  #3   (View Single Post)  
Old 24th October 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If you keep state on outgoing http traffic, the incoming traffic matches the state and thus will be automatically allowed in.

From pf.conf(5):
Code:
     By default pf(4) filters packets statefully: the first time a packet
     matches a pass rule, a state entry is created.  The packet filter
     examines each packet to see if it matches an existing state.  If it does,
     the packet is passed without evaluation of any rules.
So you need to block the outgoing traffic with something like:
Code:
block drop out log (all) quick on $ext_if from any to <noface>
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote