On Tue, 08 Nov 2005 00:44:34 +0000, Larry Llong wrote: > I just want to allow port 22, 25 and 80 to my server. > > I know I can activate and deactive pf with -e and -d, but that doesn't seem > to reload the configuration. Does it?
How about -f, or man pfctl (which is faster than typing, I guess) Here I use something like the following. Permits to change NICs and edit the services. Chances are you want to log less. No warranty && YMMV: # Define useful variables - Macros Ext_IF = "ne1" # External Interface TCP_Services = "{ ssh, smtp, www }" ICMP_Types = "echoreq" # Options set block-policy return set loginterface $Ext_IF # Clean up fragmented and abnormal packets scrub in all # Filter rules block all pass quick on lo0 all # allow the services as defined above pass in log on $Ext_IF inet proto tcp from any to $Ext_IF \ port $TCP_Services flags S/SA keep state pass in log on $Ext_IF inet proto { tcp, udp } from any to $Ext_IF \ port domain keep state pass in log inet proto icmp all icmp-type $ICMP_Types keep state pass out log on $Ext_IF proto tcp all modulate state flags S/SA pass out log on $Ext_IF proto { udp, icmp } all keep state Uwe