Robert, You rule looks ok. You may want to add a variable for the port number so you can add or delete them as needed. Something like...
### Ports AllowOUT="{22, 80, 443}" ### Pass out interface pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate state flags S/SA Hope this helps, OpenBSD Pf Firewall "how to" ( pf.conf ) https://calomel.org/pf_config.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote: >Hi folks, > >All the time I had the following entries in my pf.conf for my Desktop system. >However, as I've bought this pf book that was lately released, I begin to >suspect that these rules are way to liberal. > >If I only want to be able to browse the web and maybe use ssh-client, how >should I rewrite the rules so that only those ports are open (80,443 and 22)? > >I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I >knew how to write them. > >The best I could guess is: > >pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA > >But I don't know if this is correct. > >Brgds >Robert