On 06/06/2021 12:10, Frantisek Hennel wrote:
Dakujem, ale ani toto mi nefunguje :-(. Rozsiril som svoje pravidla o tie
tvoje a toto je vysledok.
Reloading pf rules.
/etc/pf.conf:6: port only applies to tcp/udp
/etc/pf.conf:6: skipping rule due to errors
/etc/pf.conf:6: rule expands to no valid combination
/etc/pf.conf:7: port only applies to tcp/udp
/etc/pf.conf:7: skipping rule due to errors
/etc/pf.conf:7: rule expands to no valid combination
Doporucuji dodrzovat poradi, tak jak se pise v man pf.conf
STATEMENT ORDER
There are seven types of statements in pf.conf:
Macros
Tables
Options
Traffic Normalization (e.g. scrub)
Queueing
Translatio
Packet Filtering
Zkusil bych to takhle:
#################
ext_if="em0" # interface connected to internet
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
block drop in log (all) quick on $ext_if from <blockedips> to any
block drop in log (all) quick on $ext_if proto tcp from ! <mwhite> to
any port 3306
#################
U me test syntaxe prosel:
root@tester ~/ # pfctl -nvf pf.conf
ext_if = "em0"
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
block drop in log (all) quick on em0 from <blockedips> to any
block drop in log (all) quick on em0 proto tcp from ! <mwhite> to any
port = mysql
Jinak misto "to any" lze pouzit i "to self". A ja osobne bych ty
pravidla radeji postavil tak, ze bych blokoval vsechno a vsude a pristup
jmenovite povoloval na to, co chci mit skutecne otevrene ven. Nikdy
nevis, kdy se ti tam "sama spustit" nejake sluzba... YMMV
Mirek
--
FreeBSD mailing list ([email protected])
http://www.freebsd.cz/listserv/listinfo/users-l
