On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote: > Hi folks, > > All the time I had the following entries in my pf.conf for my Desktop > system. > However, as I've bought this pf book that was lately released, I begin > to suspect that these rules are way to liberal. > > If I only want to be able to browse the web and maybe use ssh-client, > how should I rewrite the rules so that only those ports are open > (80,443 and 22)? > > I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask > if I knew how to write them. > > The best I could guess is: > > pass out on $int_if proto tcp from any to any port 80 modulate state > flags S/SA > > But I don't know if this is correct. > > Brgds > Robert
If it's just a simple workstation with a single user, I see no reason for restricting outgoing traffic. If you really want this, remember to also allow DNS queries (port 53, tcp+udp). Let me point you to some of Peter Hansteen's goodies: http://home.nuug.no/~peter/pf/en/minimal-ruleset.html (you should also click "Next" when you get to the bottom of that page) The full table of contents: http://home.nuug.no/~peter/pf/en/ Martin
