> On 06/04/2014, at 09:54, Mario Kothe <[email protected]> wrote: > > Hi Alex, > > here is the output: > > anchor "ftp-proxy/*" all > pass in quick on vlan2 inet proto tcp from any to any port = 21 flags S/SA > keep state (if-bound) divert-to 127.0.0.1 port 8021 > anchor "vm-host-management" all > anchor "hw-management" all > anchor "heliopolis.lab" all > anchor "heliopolis.net" all > anchor "helioplis.dmz" all > anchor "heliopolis.wlan" all > match out on em2 inet from <__automatic_a0bf736a_0> to any nat-to (em2) > round-robin > block drop in log quick on ! em2 inet from <public-net> to any > block drop in log quick inet from <public-ip> to any > block drop in log quick on em2 inet6 from fe80::200:24ff:fece:97c2 to any > block drop in all > pass all flags S/SA keep state (if-bound) > pass inet proto icmp all keep state (if-bound) > block drop on em2 inet6 all > block drop on tun0 inet6 all > block drop log quick on em2 from <rouge-hosts> to any > block drop log quick on em2 from <private-rfc1918> to any > pass in quick on athn0 all flags S/SA keep state (if-bound) > pass out quick on athn0 all flags S/SA keep state (if-bound) > pass on vlan6 inet from 192.168.6.0/24 to ! <private-rfc1918> flags S/SA keep > state (if-bound) > pass quick on vlan6 inet from any to 224.0.0.0/4 flags S/SA keep state > (if-bound) allow-opts > pass in on vlan4 inet proto icmp all icmp-type echoreq code 0 set ( queue > q_pri ) keep state (if-bound) > pass in on vlan4 inet from 192.168.4.0/24 to any flags S/SA keep state > (if-bound) > pass on em2 inet proto icmp all set ( queue q_pri ) keep state (if-bound) > pass on em2 inet proto tcp from (em2) to any flags S/FSRA set ( queue q_pri ) > modulate state (if-bound) > pass in quick on em2 inet proto tcp from any to any port = 21 flags S/FSRA > set ( queue q_sgdef ) keep state (if-bound) label "ServicesTCP" > pass in quick on em2 inet proto tcp from any to any port = 113 flags S/FSRA > set ( queue q_sgdef ) keep state (if-bound) label "ServicesTCP" > block drop in log quick from <block-ssh-scanners> to any > pass on em2 inet proto tcp from ! <block-ssh-scanners> to (em2) port = 8022 > flags S/FSRA set ( queue q_ssh ) keep state (source-track rule, > max-src-conn-rate 3/30, overload <block-ssh-scanners> flush global, if-bound, > src.track 30) > pass on em2 proto tcp from (em2) to any port = 80 flags S/SA set ( queue > q_http ) keep state (if-bound) > pass on em2 proto tcp from (em2) to any port = 443 flags S/SA set ( queue > q_http ) keep state (if-bound) > pass on em2 proto tcp from any to any port = 8022 flags S/SA set ( queue > q_ssh ) keep state (if-bound) > pass on vlan2 inet proto tcp from 192.168.2.240 to any port > 10000 flags > S/SA modulate state (if-bound) tag TORRENT > pass on vlan2 inet proto udp from 192.168.2.240 to any port > 10000 keep > state (if-bound) tag TORRENT > pass on em2 proto tcp from (em2) to any flags S/SA set ( queue q_tor ) > modulate state (if-bound) tagged TORRENT > pass on em2 proto udp from (em2) to any set ( queue q_tor ) keep state > (if-bound) tagged TORRENT > pass in on em2 inet proto tcp from any to 192.168.2.240 port 6881:6999 flags > S/SA set ( queue q_tor ) synproxy state (max 50000, source-track rule, > max-src-conn 100000, max-src-nodes 100000, if-bound, tcp.established 50000, > adaptive.start 30000, adaptive.end 60000) > pass in on em2 inet proto udp from any to 192.168.2.240 port = 4444 set ( > queue q_tor ) keep state (max 50000, source-track rule, max-src-conn 100000, > max-src-nodes 100000, if-bound, tcp.established 50000, adaptive.start 30000, > adaptive.end 60000) > pass in inet from 192.168.44.0/24 to 192.168.2.0/24 flags S/SA modulate state > (if-bound) > pass in inet from 192.168.44.0/24 to ! <private-rfc1918> flags S/SA modulate > state (if-bound) > pass in inet from 192.168.2.0/24 to ! 192.168.55.0/24 flags S/SA modulate > state (if-bound) > pass in inet from 192.168.2.0/24 to 192.168.15.0/24 flags S/SA modulate state > (if-bound) > pass in on vlan15 inet proto icmp all icmp-type echoreq code 0 set ( queue > q_pri ) keep state (if-bound) > pass in inet from 192.168.15.0/24 to ! <private-rfc1918> flags S/SA modulate > state (if-bound) > pass in inet from 192.168.2.0/24 to 192.168.22.0/24 flags S/SA modulate state > (if-bound) > pass in on vlan22 inet proto icmp all icmp-type echoreq code 0 set ( queue > q_pri ) keep state (if-bound) > pass in inet from 192.168.22.0/24 to ! <private-rfc1918> flags S/SA modulate > state (if-bound) > pass in inet from 192.168.2.0/24 to 192.168.25.0/24 flags S/SA modulate state > (if-bound) > pass in on vlan25 inet proto icmp all icmp-type echoreq code 0 set ( queue > q_pri ) keep state (if-bound) > pass in inet from 192.168.55.0/24 to 192.168.55.1 flags S/SA modulate state > (if-bound) > pass in inet from 192.168.55.0/24 to ! <private-rfc1918> flags S/SA modulate > state (if-bound) > pass in inet from 192.168.25.0/24 to ! <private-rfc1918> flags S/SA modulate > state (if-bound) > pass in inet from 192.168.2.0/24 to 192.168.55.0/24 flags S/SA modulate state > (if-bound) > pass in inet from 192.168.11.0/24 to 192.168.11.1 flags S/SA modulate state > (if-bound) > > Bye > Mario > >> On 06.04.2014 02:29, [email protected] wrote: >>> On Sat, Apr 05, 2014 at 04:53:26PM +0200, Mario Kothe wrote: >>> <..> >>> This rule seems to have no effect. A scan from remote shows port 53 >> <..> >> >> Hi Mario, >> >> Can you show the output of "pfctl -s rules"? >> >> Regards, >> Alex
man pf.conf It's the *last* matching rule that is applied. If a rule is 'quick' then no further rules are evaluated. You have pass rules after your block rule, so if one of the pass rules matches your traffic, it's the pass rules that apply, not the block rule. If you add quick to your block rule, then the pass rules won't be checked for the packets that match the block rule, and they get blocked. Also, this is a textbook example of why you need to post the *entire* pf.conf file when asking this type of questions. Cheers
