View Single Post
  #9   (View Single Post)  
Old 14th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I don't understand why you don't use the rules I proposed in one of the first posts and add the one for the firewall initiated traffic
Code:
block log (all)

pass out quick on $ext_if tagged OUT_OK

pass out  on $ext_if from ($ext_if) to any modulate state tag OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK
The advantage of having a block log (all) rule is debugging. All packets that are being blocked by pf will show up on the pflog0 device. You can watch these packets by running tcpdump on this device:
Code:
# tcpdump -eni pflog0
Re: examples of OpenBSD pf user guide

If you are not running OpenBSD you have to be careful with using the examples from the pf user guide. That guide is up-to-date for OpenBSD only

It usually takes some time before the newest pf features available for OpenBSD, have been migrated/ported to FreeBSD.
That is why I am a little bit conservative in recommending you the latest and greatest pf features
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 15th November 2008 at 06:36 PM. Reason: Changed 'tcpdump -eni bge0' into the correct 'tcpdump -eni pflog0'
Reply With Quote