Dakujem, ale ani toto mi nefunguje :-(. Rozsiril som svoje pravidla o tie tvoje a toto je vysledok. pf.conf table <blockedips> persist file "/etc/pf.blocked.ip.conf" ext_if="em0" # interface connected to internet block drop in log (all) quick on $ext_if from <blockedips> to any
table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf" pass in quick on $ext_if from <mwhite> to any port 3306 block return in log (all) quick on $ext_if from any to any port 3306 Reloading pf rules. /etc/pf.conf:6: port only applies to tcp/udp /etc/pf.conf:6: skipping rule due to errors /etc/pf.conf:6: rule expands to no valid combination /etc/pf.conf:7: port only applies to tcp/udp /etc/pf.conf:7: skipping rule due to errors /etc/pf.conf:7: rule expands to no valid combination Frantisek ne 6. 6. 2021 o 10:27 Dan Lukes <[email protected]> napísal(a): > Frantisek Hennel wrote on 06.06.2021 9:53: > > Potreboval by som zablokovat pristup na mysql server (port > > 3306), aby nebol pristupny do internetu a povolit by som chcel > > tento port iba pre konkretne IP adresy, pripadne konkretne > > subnety. > > > table <blockedips> persist file "/etc/pf.blocked.ip.conf" > > ext_if="em0" # interface connected to internet > > block drop in log (all) quick on $ext_if from <blockedips> to any > > Ja PF moc nepouzivam, muj favorit je IPFW, al eneni duvod, proc by na > tohle PF neslo pouzit. > > Ale logika v tech tvych pravidlech se mi zda byt prevracena oproti tomu, > co jsi popsal slovne. > > Slovne jsi popsal, ze chces zablokovat vsechno krome vyjmenovanych > adres/adresnich rozsahu. V pravidlech ale vyjmenovane adresy blokujes, > nikoliv povolujes. Navic v pravidle nezminujes nijak port, takze > blokujes vsechny a jeste filtrovani vazes vyhradne na vnejsi interface, > takze pripadna spojeni richazejici pres jine interface zustavaji > povolena (coz muze a nemusi byt to co chces). > > Takze bych to videl spis na > > table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf" > ext_if="em0" # interface connected to internet > pass in quick on $ext_if from <mwhite> to any port 3306 > block return in log (all) quick on $ext_if from any to any port 3306 > > Jak jsme ale rikal, PF nepouzivam, mozna to tedy jde i nejak jeste > efektivneji. On me pripadne nekdo opravi. Zachoval jsme navazani na > vnejsi interface $ext_if, pokud to neni to co chces tak to tam proste > nedavej. > > Dan > > -- > FreeBSD mailing list ([email protected]) > http://www.freebsd.cz/listserv/listinfo/users-l > -- FreeBSD mailing list ([email protected]) http://www.freebsd.cz/listserv/listinfo/users-l
