I believe your ruleset would work though it's a bit ambiguous. You could just
pass out what you want to allow and keep state. (on my setup I allow out and
keep state and the only allowed in are to servers: mail, http, etc.) This seems
a bit more straight forward. Either way I believe if you allow http you can run
things like aim express. Blocking the ports wouldn't help for aim as it's
pretty resiliant in finding another port. If you wanted to block access to
those sevices more effective woulud be ip based, however you'd end up blocking
their respective websites I think.
-quel
Quoting Bryan Irvine <[EMAIL PROTECTED]>:
> Will the ruleset below block MSN messenger, AIM, IRC, etc...?
>
> I've blocked _in_ all except what is explicitly allowed, but allowed out
> _all_.
>
> My company bans chat clients, and I'm in the process of rebuilding the
> firewall.
> Should add a rule that blocks those specific ports? (ports 1863, 5190,
> 6667)?
>
> ================================
> || Current untested pf.conf ||
> ================================
> ######################
> # INTERFACE SETTINGS #
> ######################
> WAN = "xl0"
> LAN = "xl1"
> DMZ = "xl2"
>
>
> #############
> # NAT Rules #
> #############
> nat on $WAN inet from ! ($WAN) to any -> ($WAN)
> rdr on $WAN proto tcp from any to $WAN port 5900 -> 192.168.0.50 port
> 5900
>
> #############
> # FTP-PROXY #
> #############
> rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
> ##################################
> # Block everything IN by default #
> ##################################
> block in log on $WAN all
> antispoof for $WAN
>
> ############################
> # Unwanted list. #
> # Keep these people away! #
> ############################
> blacklist = "{ 66.220.25.151, 216.127.82.63, 216.228.123.2,
> 216.127.82.63, 138.9.200.8, 198.186.220.95, 65.243.141.125,
> 207.46.125.16, biz360.netmar.com, server37.aitcom.net, rhea.hmdns.net,
> paris.webpipe.net, evrtwa1-ar3-4-65-130-024.evrtwa1.dsl-verizon.net,
> dsl-52.psni.net, sea-host134.inter-tel.com, blv-proxy-07.boeing.com,
> ip-216-73-190-204.hqglobal.net }"
>
> block in log quick on $WAN inet from $blacklist to any
>
> ##############
> # ROUTE RULE #
> ##############
> pass in on { $WAN, $LAN, $DMZ } proto udp from any to any port route
> keep state
>
> ########################
> # MAIL SERVER SETTINGS #
> ########################
> emailport = "{ smtp pop3 imap imaps pop3s 5309 }"
> mailserver = "207.109.73.101"
>
> pass in on $WAN proto tcp from any to $mailserver port $emailport keep
> state
> pass in log on $WAN proto tcp from any to $mailserver port ssh keep
> state
>
> #######################
> # WEB SERVER SETTINGS #
> #######################
> webport = "{ www https }"
> webudpport = "{ntp domain }"
> webservers = "207.108.73.64/26"
>
> pass in on $WAN proto tcp from any to $webservers port $webport keep
> state
> pass in on $WAN proto udp from any to $webservers port $webudpport keep
> state
> pass in log on $WAN proto tcp from any to $webservers port ssh keep
> state
>
> ###############################
> # FTP PROXY SETTINGS (CHARON) #
> ###############################
> charonport = "{ ftp-data ftp 1024 }"
> charon = "207.109.73.104"
>
> pass in on { $WAN, $DMZ } proto tcp from any to $charon port $charonport
> keep state
> pass in log on $WAN proto tcp from any to $charon port ssh keep state
>
> ##################################
> # MISCELLANEOUS SSH CONNECTIONS #
> ##################################
> ghost = "207.109.73.74"
> veda = "207.109.73.73"
> lanfear = "207.109.73.93"
>
> pass in on $WAN proto tcp from any to { $ghost, $veda, $lanfear } port
> ssh keep state
>
> ##########################
> # MISCELLANEOUS SETTINGS #
> ##########################
> pass in on $WAN proto tcp from any to { $ghost, $veda } port 8879 <>
> 9001 keep state
>
> ################################
> # Pass everying out by default #
> ################################
> pass out on $WAN all
>
>
>
>
