View Single Post
  #2   (View Single Post)  
Old 28th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The ruleset allows out requests to your blacklisted IP addresses, but block
the incoming replies.
Try this (untested) version which does not allow outgoing requests to your blacklist.

Code:
# Defines - NIC for external/internal network routes and other addresses
nic_ext = "fxp0"
nic_int = "lo1"

myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"

# Hard-Coded blocks 
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends

table <blacklist>  { 
    208.201.239.101
    222.208.183.218
    125.230.150.249
    66.102.9.0/24
    63.88.212.91
}

# Allow everything through the secondary (Firewall->Switch) interface
# and the loopback interface
set skip on { $nic_int lo0 }

# --- NAT rule
#nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)

# --- Default policy
block log all

# -- External interface

antispoof quick for $nic_ext

# Allow outbound traffic from internal network      
pass out quick on $nic_ext inet proto tcp from $mysub to !<blacklist> port != ssh  
pass out quick on $nic_ext inet proto udp from $mysub to !<blacklist>

# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext inet proto tcp from any to $myweb port 8080
You can see I elminated your DNS rule. If you pass out all UDP traffic you already allow DNS on port 53

If this doesn't work as expected, you can visualize which packets are being blocked with running tcpdump on the pflog0 interface.
Code:
# tcpdump -eni pflog0
BTW why doesn't your internal interface re1 have any IPv4 address? And what is that bridge0 interface supposed to do?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote