Can you use DNS names instead of IP addresses? Every example I find
uses IP addresses. It's not that big of a deal. I'm converting an
ipchains list into PF and it uses a lot of names. I'd like to skip the
step of looking them all up if I can...
--Bryan
On Wed, 2003-02-12 at 13:41, Jolan Luff wrote:
> On Wed, Feb 12, 2003 at 01:16:59PM -0800, Bryan Irvine wrote:
> > It says in the FAQ that the first 2 implicit rules are
> > pass in all
> > pass out all
>
> implicit.. like implied.
>
> > but I want to by default block everything.
> > My understanding is that pf won't even receive the reqests if i remove
> > those 2 rules.
>
> If no rule matches the packet, the default action is pass.
>
> To block everything by default and only pass packets that match explicit
> rules, one uses
>
> block in all
> block out all
>
> as the first two rules.
>
> > emailports = {"25, 110, 143, 993, 995, 5309"}
>
> i'm pretty sure this won't load. you want
> emailports = "{ 25, 110, 143 }" (commas are optional as of 3.2 btw)
>
> webports = {"80, 443, ntp"} #can you put names like ntp?
> yes, as long as they are in /etc/services.
>
> > pass in all
> > pass out all
>
> if you want a default block, this is not how to start out your ruleset.
>
> > pass in on $ext_if proto tcp from any to $mailserver ports $emailports
> > keep state
> > pass in log on $ext_if proto tcp from any to $mailserver ports 22 keep
> > state
> >
> > pass in on $ext_if proto {tcp, udp} from any to $webservers ports
> > $webports keep state
> > pass in log on $ext_if proto tcp from any to $webservers ports 22 keep
> > state
> >
> > pass out on xl0 all
>
> well, you don't need any of these rules, since everything will pass
> anyway.
>
>
