On Fri, Feb 24, 2006 at 12:15:44PM +0100, Stefan wrote:
> Hi,
>
> for several years I've used Linux on some machines while now I'm
> trying to switch to OpenBSD. With the Linux Firewall called iptables
> you can easely block all connections which try to establish a new
> connection. For example your default policy is block and then you
> could use the following command to only allow connections which are
> established:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Does someone know if this is also possible with the OpenBSD PF?
>
> Summary:
> I try to build a firewall rule which only allows connections which I
> have established. So no one can initialize a connection to me.
>
> For several hours I've played with the flags and thought that this
> one should be the answer:
> block in inet6 all
> pass in inet6 proto { tcp, udp } from any to any flags /S
> But when I activate this rule no connections can be established. Any
> hints or suggestions?
This is all in the docs. Basically, you specify keep state. The easiest
way to do what you want would be...
set skip on lo0
block in
pass out keep state
Which would allow all locally-initiated connections, and no
outside-initiated. Read the PF FAQ and ftp-proxy(8) for more information
on how to get active FTP to work.
Joachim
