On Mon, Dec 01, 2008 at 11:40:17AM -0700, Jay Torrini wrote:
> Just need to know what to let in.
>
> ext_if="dc0"
> trusted = "REMOVED"
> webports = "{ http }"
> table <blockedips> persist file "/etc/pf.blockedip.conf"
>
> set block-policy return
> set optimization aggressive
> scrub in all
>
> antispoof for $ext_if
>
> pass in quick on $ext_if inet proto tcp from $trusted to $ext_if port ssh
>
> block in log (all) all
>
> block in quick from <blockedips>
>
> pass in on $ext_if proto tcp from any to $ext_if port $webports
>
> pass in on $ext_if inet proto tcp from any to any port domain
> pass in on $ext_if inet proto tcp from any to any port smtp
You have nothing that creates states for connections being made in the
outgoing direction. I am not completely certain, but something like
"pass out" before other filtering rules should make your day :-)
It would also be cleaner if you deleted "quick" from the ssh rule and
moved it down to the domain and smtp rules... IMHO.
Just remember that filtering is "last matching rule wins", and you will
rarely need the quick keyword.
Martin
