So it is obviously my rules skills that are lacking. I just don't get the "zen" of rules. For example, if I am trying to block something from going out, do I block it on the internal nic or the external nic? Is it already past the internal nic, and now in the kernel and I want to block it on the external nic, or is it still on the internal nic and needs to be dropped there?
Yes, to all of the above. ;-)
PF can block incoming or outgoing packets on any interface. To simplify your life, most people will just pass all packets on one and block on the other. (Usually block on the external interface, then your firewall itself is protected...)
If I want to block all traffic to and from the outside to a specific IP address, is that blocking "out" or "in" or both? Is direction optional (leaving it out means both)?
To and from would be both. The default, as the man page says, is both.
Actually, most connections generate packets in both directions. Usual practice is to pass the initial packet, and keep or modulate state. (Which implicitly passes the rest of that connection.)
Is blocking "in" only blocking syn requests from outside on tcp or does in block responses as well?
It depends, what did you write? (PF could just block syn requests, or it can block everything. The default is everything.)
The most common 'gotcha' at this point is that NAT happens before filtering, so if you are blocking by IP addresses/ranges you have to remember that. Beyound that, my advice at this point would be to post your pf.conf.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
