PF and blocking of some ports

[Vitaliy Vladimirovich]

--- Original Message ---  
From: Max Laier <max at love2party.net>  
To: freebsd-pf at freebsd.org  
Date: 21 july, 13:48:23  
Subject: Re: PF and blocking of some ports  
  
  On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote:  
> Hi,  
>  
>  I have question about blocking some ports for LAN users.  
>  
>  Below a part of my pf.conf:  
>  
>  
> nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP ->  
> $ext_if:0  
>  
> pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP  
> pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp  
> 53  
>  
>  
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if  
> port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp  
> udp} from $LAN to $int_if port 53  
>  
>  
> All works fine. But when I wish block not only 25 port and 5190 or some  
> others ports, blocking does not occur. And I can connect to 25 port to  
> any host in Internet from any computer in local network.  
>  
> Rules, which I try to use:  
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if  
> port {!=25 !=5190} tag LAN_INET_TCP_UDP  
>  
> Please, tell me where is my mistake?  
  
The above will expand to 4 rules:  
  
pass quick ... tcp ... to !int_if port != 25 ...  
pass quick ... udp ... to !int_if port != 25 ...  
pass quick ... tcp ... to !int_if port != 5190 ...  
pass quick ... udp ... to !int_if port != 5190 ...  
  
It should be obvious that the first rule will allow tcp traffic to port  
5190 and the third to port 25.  
  
In general you should rather block unwanted traffic explicitly.      
    
              Ok, thanks for advice.  
  I have changed the rule  
  
pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if  
> port $ports tag LAN_INET_TCP_UDP  
   
And define $ports  
  
ports= "{20 21 80 443 8000 8080}"