On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote:
> > pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> >
> > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> > to port $udp_services
> > pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> > pass log on $ext_if inet proto tcp from $localnet to port $client_out
> > pass log out proto tcp to port $tcp_services # establish keep-stat
> > pass log log proto udp to port $udp_services # Establish keep-state
>
> If I read this correctly, you are not allowing any "in" traffic, except
> for the two "Letting ping through lines", which are just for ICMP, and
> on the first two rules on the last part ("...$icmp_types" and
> "...$client_out"). I am assuming "log log" on the last rule is a typo,
> and it is actually "log out".
Those are as far as I can tell correct observations. There appears to be
no rule allowing traffic other than the selected icmp types to pass from
anywhere but the local host.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
