block ip's and ports

[olli hauer]

Sife Mailling wrote:
> Salamo Alikom
> i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports .
> this my pf.conf :
> net_card="sis0"
> tcp_ports="{80 ,https ,domain ,auth ,21}"
> udp_ports="{domain}"
> table <banned> file "/etc/pf/banned"
> table <banned2> {www.google.com}
> block in log (all) on $net_card proto {tcp ,udp} all
> pass in on $net_card proto tcp from any to any port $tcp_ports
> pass in on $net_card proto udp from any to any port $udp_ports
> pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16
> block in on $net_card proto tcp from { <banned>, <banned2> } to any port $tcp_ports
> pass out on $net_card proto tcp from any to any port $tcp_ports
> pass out on $net_card proto udp from any to any port $udp_ports
> pass out on $net_card inet proto tcp from any to any port ftp
> pass out on $net_card inet proto tcp from any to any port > 1023
> 
> now skype is work and the both tables banned and banned2 i can browse sites including theme .
> 

Try the quick keyword, so traffic is not allowed in later rules.

Additional disable outgoing traffic since if you create a connect from 
inside to <banned> a state which permits incoming traffic is created.

example ordering:

table <banned> file "/etc/pf/banned"
table <banned2> {www.google.com}
block in log (all) on $net_card proto {tcp ,udp} all
block in quick on $net_card proto tcp from { <banned>, <banned2> } \
  to any port $tcp_ports label blockin
block out quick on $net_card proto tcp from { <banned>, <banned2> } \
  to any port $tcp_ports label blockout
pass in on $net_card proto tcp from any to any port $tcp_ports