On 2008/01/14 07:49, Tihomir koychev wrote:
> >>one other question: Will pfctl expand port != {53, ...} ?
>
> Yes it will
> http://www.openbsd.org/faq/pf/macros.html
not for port number.
(and see the warning on that page for lists of addresses :-)
> ----- Original Message ----
> From: Russell Fulton <[EMAIL PROTECTED]>
> To: [email protected]
> Sent: Monday, January 14, 2008 5:24:59 AM
> Subject: protocol in rules
>
> pass out quick on $ext_if proto {udp,tcp} from any to any port != 53
> keep state
>
> But now how do I allow all the other protocols ? I can enumerate the
> common ones but this is untidy and error prone.
Slightly ugly, but how about this?
pass out quick on $ext_if proto {udp,tcp} from <external> to port 53
block out quick on $ext_if proto {udp,tcp} to port 53
pass out quick on $ext_if
I think I would be looking at converting the ruleset to use tags
though. It is a major change but I find it much easier to work with.
http://www.openbsd.org/faq/pf/tagging.html
> I really want quick on this rule since it is the most used rule in a
> large (several hundred rules) ruleset.
Remember that with stateful rules, packets from established connections
don't traverse the ruleset, the state table is checked first.
