On Wed, Dec 14, 2005 at 08:57:58AM +0100, raff wrote: > Hello. > > i have 1 rule in my pf.conf, with wich i want to allow locally generated > traffic ONLY to 10.0.0.1 and port 22: > > block out on $int_if proto {tcp,udp} from $int_ip to ! 10.0.0.1 \ > port != 22 > > this rule allow to connect to only 10.0.0.1, BUT to any port instead > only 22. > Am i doing something wrong?
The rule is grammatically correct, I think, but there are some issues: + there is no sense in allowing UDP to port 22 + there is, similarly, no sense in allowing incoming traffic + if you want to block *all* traffic, you need not use 'on $int_if'. In fact, if you have more than one network card, you shouldn't. + specifying 'keep state' will be more efficient and also allow return traffic. Which is required for TCP, and almost all applications of UDP save syslog. + if you have to ask if something works, and yes, I understand that you have to, you are being too 'efficient'. A far more readable, and propably faster, ruleset that does what you want (on $int_if): block all on $int_if pass out on $int_if proto tcp from ($int_if) to 10.0.0.1 port 22 \ keep state Of course, again, if you have more than one NIC and want to filter all of them, remove 'on $int_if'. Joachim