Hi Folks
I am making what I thought would be a straight forward change to a
rule set but one that turns out to be non trivial after all.
existing rules:
block out on $ext_if any
.... (there are a few block quicks etc here ....
pass out quick on $ext_if from <external> to any keep state
Which allows outbound access to addresses in the table <external>.
Now I want to block outbound access to port 53 (udp & tcp) *by
default*. I.e. if there are subsequent pass rules for port 53 then
they should apply.
The problem is that as soon as I specify a port I then have to specify
a protocol (either tcp or udp) so I can modify the above rule
pass out quick on $ext_if proto {udp,tcp} from any to any port != 53
keep state
But now how do I allow all the other protocols ? I can enumerate the
common ones but this is untidy and error prone.
I really want quick on this rule since it is the most used rule in a
large (several hundred rules) ruleset.
Any suggestions?
one other question: Will pfctl expand port != {53, ...} ?
Russell
