PF firewall rules
Dmitry Andrianov
dimas at dataart.com
Tue Jul 11 08:32:14 UTC 2006
Hi.
> >Why can't you filter incoming packets as they come on internal
> >interface? IMHO it is more natural because you stop unwanted traffic
> >early..
> >
> >
> So your saying that to stop packets going *out* its more "natural" to
> type up a *block in* firewall rule to achieve the desired result, I
> think its is a hard point of view to argue, and this was
> something that
> was never needed with IPFilter and is probably one of its better
> remaining features over PF.
It only depends on your personal preferences - I used IPFilter for about
4 years before switching to pf and I was using exactly the same approach
there - the "pass out ... keep state" used to allow all outbound traffic
while routed was making its decisions solely on inbound packets.
> So to block to block IP 192.168.1.17 from connecting *out* to
> anything
> on the internet I have to use a "block in" statement and there is no
> other way of doing this rule?
> block in quick on $int_if proto { tcp, udp, icmp } from
> 192.168.1.17 to any
Even
block in quick on $int_if from 192.168.1.17 to any
Why not? If you need allow this host connecting to gateway itself, you
may use "pass in quick" rules before that one. Or vice versa - you can
use
block in on $int_if from 192.168.1.17 to any
(without "quick") and then allow only some destinations/protocols. And
finally you can tag your packets and then decide whenever to pass that
packet on not based on tags.
Regards,
Dmitry Andrianov
More information about the freebsd-pf
mailing list