On Wed, Dec 14, 2005 at 08:57:58AM +0100, raff wrote:
> Hello.
>
> i have 1 rule in my pf.conf, with wich i want to allow locally generated
> traffic ONLY to 10.0.0.1 and port 22:
>
> block out on $int_if proto {tcp,udp} from $int_ip to ! 10.0.0.1 \
> port != 22
>
> this rule allow to connect to only 10.0.0.1, BUT to any port instead
> only 22.
> Am i doing something wrong?
The rule is grammatically correct, I think, but there are some issues:
+ there is no sense in allowing UDP to port 22
+ there is, similarly, no sense in allowing incoming traffic
+ if you want to block *all* traffic, you need not use 'on
$int_if'. In fact, if you have more than one network card, you
shouldn't.
+ specifying 'keep state' will be more efficient and also allow
return traffic. Which is required for TCP, and almost all applications
of UDP save syslog.
+ if you have to ask if something works, and yes, I understand
that you have to, you are being too 'efficient'. A far more readable,
and propably faster, ruleset that does what you want (on $int_if):
block all on $int_if
pass out on $int_if proto tcp from ($int_if) to 10.0.0.1 port 22 \
keep state
Of course, again, if you have more than one NIC and want to filter all
of them, remove 'on $int_if'.
Joachim
