PF and blocking of some ports

[Max Laier]

On Monday 21 July 2008 11:07:15 Vitaliy Vladimirovich wrote:
> Hi,
>
>  I have question about blocking some ports for LAN users.
>
>  Below a part of my pf.conf:
>
>
> nat on $ext_if tag LAN_INET_NAT_TCP_UDP tagged LAN_INET_TCP_UDP ->
> $ext_if:0
>
> pass out quick on $ext_if inet tagged LAN_INET_NAT_TCP_UDP
> pass out quick on $ext_if inet proto {tcp udp} from $ext_if to $myisp
> 53
>
>
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if
> port !=25 tag LAN_INET_TCP_UDP pass in quick on $int_if inet proto {tcp
> udp} from $LAN to $int_if port 53
>
>
> All works fine. But when I wish block not only 25 port and 5190 or some
> others ports, blocking does not occur. And I can connect to 25 port to
> any host in Internet from any computer in local network.
>
> Rules, which I try to use:
> pass in quick on $int_if inet proto {tcp udp} from $LAN to !$int_if
> port {!=25 !=5190} tag LAN_INET_TCP_UDP
>
> Please, tell me where is my mistake?

The above will expand to 4 rules:

pass quick ... tcp ... to !int_if port != 25 ...
pass quick ... udp ... to !int_if port != 25 ...
pass quick ... tcp ... to !int_if port != 5190 ...
pass quick ... udp ... to !int_if port != 5190 ...

It should be obvious that the first rule will allow tcp traffic to port 
5190 and the third to port 25.

In general you should rather block unwanted traffic explicitly.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News