Hi Stuart,
Le 08/04/2014 18:31, Stuart Henderson a écrit :
> On 2014-04-07, Christophe <t...@stuxnet.org> wrote:
> [..]
>
> Let's ignore the siproxd side of things and just look at the ruleset.
>
> You have no "pass" or "block" rules for any outbound traffic so the implicit
> default is used for outbound traffic - this is "pass all no state" - I would
> start the ruleset with an explicit "block" and then perhaps "pass out" if
> that's what you want.
>
Oops, true ! I made a `grep -v` mistake ... Sorry :( .
Here is the real ruleset, that effectively contains block and pass
"default" rules.
> set skip on lo
> set loginterface pflog0
>
> block in log
> pass out
>
> block in on ! lo0 proto tcp to port 6000:6010
>
> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
>
> pass in on em1 inet proto tcp from 172.18.160/24 to any port { 80, 443 } keep
> state
> pass in on em1 inet proto icmp from 172.18.160.0/24 to any keep state
>
> pass in on em0 inet proto tcp from any to em0 port 22 keep state
> pass in on em0 inet proto icmp from any to em0 keep state
>
> pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
> divert-to 172.18.160.253 port 5060
>
> pass in on em0 inet proto udp from any to em0 port 5060 keep state
> pass in on em0 inet proto udp from any to em0 port 17030:17080 keep state
Regards,
Christophe.
