Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Mar 2009 10:13:03 -0600 (MDT)
From:      "Peter" <fbsdq@peterk.org>
To:        "Glen Barber" <glen.j.barber@gmail.com>
Cc:        Eric Magutu <emagutu@gmail.com>, freebsd-pf@freebsd.org
Subject:   Re: first firewall with pf
Message-ID:  <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net>

next in thread | raw e-mail | index | archive | help
> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu <emagutu@gmail.com> wrote:
> [snip]
>>
>> ##########################
>> #block all other traffic #
>> ##########################
>>
>> # should be last rule
>>
>> block in quick on $ext_if all
>>
>>
>
> This should not be the last rule.  PF implements the rules in a
> top-down fashion, where the last rule always wins.  Without actually
> loading this ruleset on my own system, it appears this rule will block
> all incoming / outgoing traffic completely.
>
> This rule should be placed above all of your 'pass' rules.
>
>
> --
> Glen Barber

Notice he has the 'quick' keyword in all his rules -  Placing this rule on
top will 'quick' block everyone without parsing any other rules.

rules ~should~ be:
block all
pass out keep state
block quick proto tcp from ZZ to port XX
pass in proto tcp port XX keep state
pass in proto tcp port YY keep state


this will allow outbound everything
allow inbound only on ports XX,YY except from ZZ
all other packets will match rule 'block all'

]Peter[




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53529.216.241.167.212.1237911183.squirrel>