From owner-freebsd-pf@FreeBSD.ORG  Tue Mar 24 16:13:09 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CB5461065A7C
	for <freebsd-pf@freebsd.org>; Tue, 24 Mar 2009 16:13:09 +0000 (UTC)
	(envelope-from fbsdq@peterk.org)
Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213])
	by mx1.freebsd.org (Postfix) with SMTP id 3B1AB8FC50
	for <freebsd-pf@freebsd.org>; Tue, 24 Mar 2009 16:13:04 +0000 (UTC)
	(envelope-from fbsdq@peterk.org)
Received: (qmail 19053 invoked from network); 24 Mar 2009 16:13:03 -0000
Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213)
	by poshta.pknet.net with SMTP; 24 Mar 2009 16:13:03 -0000
Received: from 216.241.167.212
	(SquirrelMail authenticated user fbsdq@peterk.org)
	by webmail.pknet.net with HTTP; Tue, 24 Mar 2009 10:13:03 -0600 (MDT)
Message-ID: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net>
Date: Tue, 24 Mar 2009 10:13:03 -0600 (MDT)
From: "Peter" <fbsdq@peterk.org>
To: "Glen Barber" <glen.j.barber@gmail.com>
User-Agent: SquirrelMail/1.4.11
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Eric Magutu <emagutu@gmail.com>, freebsd-pf@freebsd.org
Subject: Re: first firewall with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2009 16:13:30 -0000

> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu <emagutu@gmail.com> wrote:
> [snip]
>>
>> ##########################
>> #block all other traffic #
>> ##########################
>>
>> # should be last rule
>>
>> block in quick on $ext_if all
>>
>>
>
> This should not be the last rule.  PF implements the rules in a
> top-down fashion, where the last rule always wins.  Without actually
> loading this ruleset on my own system, it appears this rule will block
> all incoming / outgoing traffic completely.
>
> This rule should be placed above all of your 'pass' rules.
>
>
> --
> Glen Barber

Notice he has the 'quick' keyword in all his rules -  Placing this rule on
top will 'quick' block everyone without parsing any other rules.

rules ~should~ be:
block all
pass out keep state
block quick proto tcp from ZZ to port XX
pass in proto tcp port XX keep state
pass in proto tcp port YY keep state


this will allow outbound everything
allow inbound only on ports XX,YY except from ZZ
all other packets will match rule 'block all'

]Peter[