first firewall with pf
Peter
fbsdq at peterk.org
Tue Mar 24 09:13:30 PDT 2009
> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu <emagutu at gmail.com> wrote:
> [snip]
>>
>> ##########################
>> #block all other traffic #
>> ##########################
>>
>> # should be last rule
>>
>> block in quick on $ext_if all
>>
>>
>
> This should not be the last rule. PF implements the rules in a
> top-down fashion, where the last rule always wins. Without actually
> loading this ruleset on my own system, it appears this rule will block
> all incoming / outgoing traffic completely.
>
> This rule should be placed above all of your 'pass' rules.
>
>
> --
> Glen Barber
Notice he has the 'quick' keyword in all his rules - Placing this rule on
top will 'quick' block everyone without parsing any other rules.
rules ~should~ be:
block all
pass out keep state
block quick proto tcp from ZZ to port XX
pass in proto tcp port XX keep state
pass in proto tcp port YY keep state
this will allow outbound everything
allow inbound only on ports XX,YY except from ZZ
all other packets will match rule 'block all'
]Peter[
More information about the freebsd-pf
mailing list