On Thu, 10 Apr 2008, Christoph Hanle spaketh thusly:
-}Hi,
-}it is possible in another way.
-}First, you have to create a port-alias, but cosinder, that you put only ports
-}from the same type (tcp or udp) in one alias.
-}
-}Live example:
-}allow only secure mailtransport to my mailserver:
-}1. port alias
-}<alias>
-} <name>Secure_mail</name>
-} <address>465 993 995</address>
-} <descr/>
-} <type>port</type>
-} <detail>SMTPS||IMAPS||POPS||</detail>
-} </alias>
-}2. rule
-}<rule>
-} <type>pass</type>
-} <interface>lan</interface>
-} <max-src-nodes/>
-} <max-src-states/>
-} <statetimeout/>
-} <statetype>keep state</statetype>
-} <os/>
-} <protocol>tcp</protocol>
-} <source>
-} <network>lan</network>
-} </source>
-} <destination>
-} <address>a.b.c.d</address>
-} <port>Secure_mail</port>
-} </destination>
-} <descr>allow secure MAIL to xyz</descr>
-} </rule>
-}
-}
-}Hope this helps
Heya,
Sorry. Apparently I wasn't clear. I want to block, not pass, all traffic to
a specific port. For example, everybody on a /16 must use a given mailhost to
send mail out. To enforce this, pass packets from the mailhost to any host
but only to port 25, block all other traffic from anybody and from any port,
to anybody on port 25.
I've messed around a bit with setting up an alias with a bunch of ports:
BlockPortsInside 67:69, 111, 113, 137:139, 161:162, 512:515,
1433:1434
When I try to add the alias as a block(say tcp), the gui allows me, but in the
logs I see:
Apr 10 16:34:06 php: : There were error(s) loading the rules: no IP
address found for 67:69 /tmp/rules.debug:140: could not parse host
specification pfctl: Syntax error in config file: pf rules not loaded - The
line in question reads [69 /tmp/rules.debug]:
Thoughts?
--
Randy ([EMAIL PROTECTED]) 765.983.1283 <*>
Love with your heart, think with your head; not the other way around.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
