For more illuminating debugging via logs, change "pass out on" to "pass out log on", rerun your tests, and re-examine your logs.
Also, I think (maybe, possibly) that if you're hide-NATing (i.e., all internal hosts leave with the IP address of the firewall's external interface), that the NATing occurs before the filtering, and so you're first "pass out" rule permits AIM, etc., because all outbound packets look they are "from $ext_if". I personally filter out undesirable destinations on the firewall's internal interface (pre-NAT), and with "block return-rst" just so the user gets an immediate deny instead of waiting for a time-out. But, in the words of John Candy, "that's just me." -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phusion Sent: Friday, November 12, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Logging Question I have a question about logging certain packets. On my internal network I allow the following traffic outbound: tcp 21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I can log all the blocked outbound traffic like to tcp and udp port 1214, 4662, and the rest. I'm having a problem because when I tried AOL Instant Messenger, it should have been blocked, logged and not been able to connect because it makes an outbound connection to tcp port 5190 which isn't allowed, but it still works. This is what I have right now in my config files. /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180 /etc/pf.conf tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5999 }" block in all block out log all # for FTP pass in on $ext_if inet proto tcp from any to $ext_if \ port 55000 >< 57000 user proxy $tcpsrv_options $proto_options for FTP pass out on $ext_if inet proto tcp from $ext_if to any \ port > 1023 $tcpsrv_options $proto_options pass out on $ext_if inet proto tcp from $ext_if to any \ port $tcp_ports $tcpsrv_options $proto_options Let me know how I can log the outbound traffic that is blocked. Thanks.
