"Joco Salvatti" <[EMAIL PROTECTED]> writes: > I don't want anyone from my local network to connect to MSN and P2P > programs, so I haven't created any rule to permit those kind of > packet traffic.
Sounds like a sound policy. > But I'm facing a lot of problems due to this, because I have to > specify packets that should pass through my internal and external > interfaces. This is exactly the thing PF excels at. In the first place, you can write interface independent pass rules as well, ie pass proto tcp from $localnet to any port $allowedports keep state Assuming the localnet and allowedports macros (localnet or equivalent could easily be made into a table as well btw) have been sensibly defined. If you're interested in reading a PF tutorial written by a self-confessed PF rules readability zealot, you can find mine in various formats at http://www.bgnett.no/~peter/pf/ > I'd like any ideas or tips from PF gurus about how to improve my > firewall policies. I have an idea: allow everything at my internal > NIC and block all at my external NIC, so all I had to do was > specifying allowed incoming and outcomming traffics only at my > external NIC. But I'll be waiting for (better) proposals. Again, if all you want to do is simplify your rule set, go the interface independent route. There are situations where rules need to be interface specific, but you will discover those when you need to. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
