RE: PF & Windows Vista

Wed, 07 Feb 2007 07:24:59 -0800 

Volker wrote:
> 
> Kevin,
> 
> helping you with just this snippet of rules is like fishing in the
> dark.
> 
> Your rules do the following: A connection coming from a single IP
> address (/32) is passing the firewall on the external IF. As it does
> not create state (no keep state option) the answer to that incoming
> connection will probably never reach the originating IP address.
> 
> As you're logging but do not keep state, you're getting a whole
> bunch of log entries which might render your logs unreadable (every
> packet is being logged instead of every connection).
> 
> If your rules work properly for other hosts (again, your snippet of
> rules is useless for supporting you) I'm wondering if your Vista
> machine does IPv6 and does not try v4? I don't know Vista at all but
> I guess v6 support is built in.
> 
> Greetings,
> 
> Volker


I was hoping that the issue was simple and common, due to Vista's emphasis
on ipv6 among other networking issues. Either way, below is my entire pf
configuration.  I hope it helps.




### Firewalls are Sun Netra X1 UltraSPARC IIe 400

ext_if="dc1"
int_if="dc0"
loop_if="lo0"
internal_addr="xxx.xxx.xxx.x
external_addr="xx.xxx.xxx.xxx
internal_net="xxx.xxx.xxx.x
external_net="xx.xxx.xxx.xxx

### Load carp interfaces

c1="carp1"
c130="carp130"
c131="carp131"
c132="carp132"
c133="carp133"
c134="carp134"
c135="carp135"
c136="carp136"
c137="carp137"
c138="carp138"
c139="carp139"
c140="carp140"
c141="carp141"
c142="carp142"
c143="carp143"
c144="carp144"
c145="carp145"
c146="carp146"
c147="carp147"
c148="carp148"
c149="carp149"
c150="carp150"
c151="carp151"
c152="carp152"
c153="carp153"
c154="carp154"
c155="carp155"
c156="carp156"
c157="carp157"
c158="carp158"
c159="carp159"
c160="carp160"
c161="carp161"
c162="carp162"
c163="carp163"
c164="carp164"
c165="carp165"
c166="carp166"
c167="carp167"
c168="carp168"
c169="carp169"
c170="carp170"
c171="carp171"
c172="carp172"
c173="carp173"
c174="carp174"
c175="carp175"
c176="carp176"
c177="carp177"
c178="carp178"
c179="carp179"
c180="carp180"
c181="carp181"
c182="carp182"
c183="carp183"
c184="carp184"
c185="carp185"
c186="carp186"
c187="carp187"
c188="carp188"

InServicesTCP = "{ http, https }"
InServicesUDP = "{ domain, ntp, rpc }"
OutServicesTCP = "{ http, https, whois }"
OutServicesUDP = "{ ntp, domain, rpc }"
ProtoBlocked = "{ tcp, udp }"

table <carpext> const file "/etc/firewall/carp_extaddr.tbl"
table <private> const file "/etc/firewall/ip_localblock.tbl"
table <caught> persist file "/etc/firewall/ip_caught.tbl" file
"/etc/firewall/ip_exploit.tbl"
#table <excess_conns> file "/etc/firewall/excess_conns.tbl"
table <excess_conns_130> persist
table <excess_conns_131> persist
table <excess_conns_132> persist
table <excess_conns_133> persist
table <excess_conns_134> persist
table <excess_conns_135> persist
table <excess_conns_136> persist
table <excess_conns_137> persist
table <excess_conns_138> persist
table <excess_conns_139> persist
table <excess_conns_140> persist
table <excess_conns_141> persist
table <excess_conns_142> persist
table <excess_conns_143> persist
table <excess_conns_144> persist
table <excess_conns_145> persist
table <excess_conns_151> persist
table <excess_conns_ftp130> persist
table <excess_conns_ftp135> persist
table <excess_conns_ftp143> persist
table <webips> const file "/etc/firewall/web_server_ips.tbl"
#table <sshhacks> persist file "/etc/firewall/ssh_hackers.tbl"
table <sshhacks> persist 
table <sendmail_hacks> persist file "/etc/firewall/sendmail_hacks.tbl"
table <blacklistproxies> persist file "/etc/firewall/blacklistproxies.tbl"
table <port_scans> persist file "/etc/firewall/port_scanners.tbl"

#### open for unabated users

table <unabated> {  xx.xxx.xxx.xxx }

#### nfs table for hosts

#table <nfs> { xxx.xxx.xxx.x


##### Safe users

table <safeusers> { xxx.xxx.xxx.x }

# Options: tune the behavior of pf, default values are given.

set timeout { interval 30, frag 60, src.track 180 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 2000000, frags 1000000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.

scrub in all


### rdr's

rdr on $ext_if proto tcp from any to ($c130) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c131) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c136) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c137) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c138) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c139) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c140) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c141) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c142) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c144) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c145) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c146) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c148) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c149) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c150) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 80 -> xxx.xxx.xxx.x

### Port 443 required mappings

rdr on $ext_if proto tcp from any to ($c131) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 443 -> xxx.xxx.xxx.x
#### Port 22 maps

rdr on $ext_if proto tcp from any to ($c130) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c169) port 22 -> xxx.xxx.xxx.x

##### Port 21 / FTP 

rdr on $ext_if proto tcp from any to ($c130) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c130) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 2121 -> xxx.xxx.xxx.x

##### Port 21 / FTP 

rdr on $ext_if proto tcp from any to ($c130) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 20 -> xxx.xxx.xxx.x

##### Passiv3 mod3 FtP

rdr on $ext_if proto tcp from any to ($c130) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 50000:50050 ->
xxx.xxx.xxx.x

##### Port 873 for rsync

rdr on $ext_if proto tcp from any to ($c143) port 873 -> xxx.xxx.xxx.x


####### Nat back out for connections initiated behind the firewall

nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x

### Carp specific pass rules

pass quick on { dc0 } proto pfsync
pass quick on { dc0 dc1 } proto carp keep state

#### Before block in all is turned back on make sure you don't get locked
out
#### allow safeusers

pass in quick on $ext_if inet proto tcp from <unabated> to any flags S/SA
keep state 
pass in quick on $ext_if inet proto udp from <unabated> to any keep state 
pass in quick on $ext_if inet proto icmp from <unabated> to any keep state 

### Office for Vista issue -- no state 

pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any 
pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.x/32 to any 
pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.x/32 to any 
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any



# Filtering ---- first up is the default block

block in all
#block in on $ext_if

### block private addresses

block drop in quick on $ext_if from <private> to any
block drop out quick on $ext_if from any to <private>


### Allow NFS traffic

pass in quick on $int_if inet proto tcp from <nfs> to xxx.xxx.xxx.x
pass in quick on $int_if proto udp from <nfs> to xxx.xxx.xxx.x
pass out quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass out quick on $int_if inet proto udp from xxx.xxx.xxx.x

# Allow safehost access to web / FTP

pass in quick on $ext_if inet proto tcp from <safeusers> to <webips> port
$InServicesTCP flags S/SA keep state 
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto icmp from <safeusers> to <webips> keep
state 


#### Block sendmail hacks & port scans

block drop quick from <sendmail_hacks>
block drop quick from <port_scans>

#### Block Excess connections - DoS - SSH hackers - but allow  for them to
recieve the generic message

block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_130> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_131> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_132> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_133> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_134> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_135> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_136> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_137> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_138> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_139> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_140> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_141> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_142> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_143> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_144> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_145> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_151> to
any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp130>
to any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp135>
to any 
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp143>
to any 




### catch ssh hacks

pass in quick on $ext_if inet proto tcp from any to any port 22 flags S/SA
keep state (max-src-conn 1, max-src-conn-rate 1/200, overload <sshhacks>
flush global)
pass in quick on $int_if inet proto tcp from any port 22 to any flags
SA/SAFR keep state

### block caught

pass out quick on $ext_if from any to xx.xxx.xxx.xxx
pass in quick on $ext_if from xx.xxx.xxx.xxx
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
block drop in quick on $ext_if from <caught> to any
block drop in quick on $ext_if from <carpext> to any
block drop in quick on $ext_if from $ext_if to any
block drop out quick on $ext_if from any to <carpext>
block drop out quick on $ext_if from any to $ext_if

#### Explicit allow connections into the f/wall from the internal network

pass in quick on $int_if proto tcp from $internal_net to $internal_addr port
22 flags S/SA keep state
pass in quick on $int_if proto udp from $internal_net to $internal_addr port
53 keep state
pass in quick on $int_if proto icmp from $internal_net to $internal_addr
keep state

##### Apply anti-spoof blocks

block drop in quick on $int_if from any to <private>
block drop in quick on $int_if from any to $internal_net

##### loopback interface

pass in quick on $loop_if all
pass out quick on $loop_if all



## block web access to this hosts BASE

block drop in quick on $ext_if proto tcp from any to $external_addr port 443




pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x

#### FtP SerViCeS --- 21 and PasSiVe

pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
###(max-src-conn 74, max-src-conn-rate 100/2, overload <excess_conns_ftp130>
flush global)
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x


pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x


###### allow mail rsync, etc

pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x


pass out quick on $ext_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $ext_if inet proto udp from any to any port 2620 
pass in quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA
keep state
pass in quick on $ext_if inet proto udp from any to any port 2620 

pass out quick on $int_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $int_if inet proto udp from any to any port 2620 



##### dns services have to be allowed

pass in quick on $ext_if inet proto udp from any to $external_addr port 53
keep state
pass in quick on $ext_if inet proto udp from any port 53 to $internal_net
keep state
pass in quick on $ext_if inet proto udp from any port 53 to any keep state

#### temp. ftp outbound for port updates / src updates / etc

#pass in quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass in quick on $int_if inet proto tcp from any to any port 21 keep state
#pass out quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass out quick on $int_if inet proto tcp from any to any port 21 keep state



##### with the block in all allow ns-2 full acess

########  END OF INBOUND allows on the ExTeRnAL InterFac3  ########

### allow SA responses back to initial SYN inbounds

pass in quick on $int_if proto tcp from <webips> port 80 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 443 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 21 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 20 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 50000:50050 to any
flags SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> to <unabated> flags SA/SAFR
keep state
pass in quick on $int_if proto udp from <webips> to <unabated> keep state
pass in quick on $int_if proto icmp from <webips> to <unabated> keep state
pass in quick on $int_if proto tcp from <webips> to <safeusers> flags
SA/SAFR keep state
pass in quick on $int_if proto udp from <webips> to <safeusers> keep state
pass in quick on $int_if proto icmp from <webips> to <safeusers> keep state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

### Vista rules

pass in log quick on $int_if proto tcp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto udp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto icmp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

############ Some outbound rules  ###########

pass out quick on $ext_if proto udp from $external_addr to any port 123 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 22 flags
S/SA keep state
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 80 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 43 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 443
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 5999
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to xxx.xxx.xxx.x/32
port 25 flags S/SA keep state



#allow traceroute from fw -> host , this is really slow and doesnt work
properly
#pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep
state
#pass out quick on $ext_if inet proto udp from any to any port 33433 ><
33626 keep state


pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto udp from $internal_net to any port 53 keep
state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

pass in quick on $int_if proto udp from $internal_net to any port 123 keep
state
pass in quick on $int_if proto icmp from $internal_net to any keep state
pass in quick on $int_if proto tcp from $internal_net to any port 43 flags
S/SA keep state

pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x







_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to