block outgoing smtp (enable only two servers)

Thu, 23 Jun 2005 05:08:09 -0700 

Hi

I have a simple question about pf.

I want to block outgoing smtp traficc for all my users. I only pass
smtp traffic to two smtp server (correo.urdi.com.ar,
smtp.bourlot.com).

This rule:

block out log quick on $ext_if proto tcp from any to any !{
correo.urdi.com.ar, smtp.bourlot.com }   port smtp

don't woks ..... what's  I doing wrong.

Thanks in advance

roberto 

My rules are:

#interfaces 

ext_if = "dc0"
int_if = "xl0"

# protocols

protocolos = "{ tcp, udp, icmp }"
netbios = "{ netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds }"

##clients
cliente1  = "90.0.2.2"   
cliente2  = "90.0.2.3"   
cliente3  = "90.0.2.4"   


clientes = "{" $cliente1 $cliente2 $cliente3  ........."}

# RFC1918
priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"

# Those wonderful scrubbing bubbles
scrub in all

# NAT/RDR directives
nat on $ext_if from $clientes to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto { tcp, udp } from any to $ext_if port pptp ->
90.0.2.6 port pptp


# Filtering begins
block drop all

# Local machine stuff
pass quick on lo0 all

## enable ssh in firewall

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port 22 flags S/SA keep state queue ssh_server


# Clean invalid SRC/DST packets
block in  quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

# block netbios
block in log quick on $ext_if inet proto { tcp, udp } from any to any
port $netbios
block out log quick on $ext_if inet proto { tcp, udp } from any to any
port $netbios

### block smtp traffic (dont't work)

block out log quick on $ext_if proto tcp from any to any !{
correo.urdi.com.ar, smtp.bourlot.com }   port smtp


# Out to the 'net
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA
modulate state queue(std_out, tcp_ack_out)
pass out on $ext_if proto tcp from ($ext_if) to any port 80 modulate
state queue web_surf
pass out on $ext_if proto tcp from ($ext_if) to any port 443 modulate
state queue https_surf
pass out on $ext_if proto { udp } from ($ext_if) to any keep state queue std_out
pass out on $ext_if proto { gre } from ($ext_if) to any keep state queue std_out
pass out on $ext_if proto { icmp } from ($ext_if) to any keep state
queue icmp_out
pass out on $ext_if proto { tcp udp } from ($ext_if) to any port
domain keep state queue dns_out

# Internal queueing
pass in on $int_if from $cliente1 to any keep state 
pass in on $int_if from $cliente2 to any keep state 
.......................................
.......................................

Reply via email to