Hi,
start with block rule without "quick", then apply pass rules.
something like this:
table <OutNetworks> const { .... }
block proto tcp from any to any port 22
pass quick proto tcp from <OurNetworks> to any port 22 no state
pass in quick proto tcp from any to any port 2222 rdr-to 127.0.0.1 port 22
2012/1/5 Gregory Edigarov <g...@bestnet.kharkov.ua>:
> On Thu, 5 Jan 2012 09:21:16 +0100
> Rafal Bisingier <ra...@man.poznan.pl> wrote:
>
>> Hi,
>>
>> On Thursday, 05 Jan 2012 at 09:00 CET
>> Robert Wolf <r.wolf.c...@gmail.com> wrote:
>>
>> > ----
>> > table <OutNetworks> const { .... }
>> > pass quick proto tcp from <OurNetworks> to any port 22 no state
>> > pass in quick proto tcp from any to any port 2222 rdr-to 127.0.0.1
>> > port 22 block quick proto tcp from any to any port 22
>> > ----
>> >
>> > But of course, the last rule blocks every SSH traffic going from
>> > unknown networks to all hosts.
>> >
>> >
>> > Could someone please help me to create PF rules to block only
>> > traffic going to local machine from other networks as OutNetworks
>> > similary as the iptables rule above?
>>
>> Just replace "to any" to "to self". Should do what you want.
>>
>> > I have read PF manual but not found any possibility to tell pf "to
>> > LOCAL-HOST". I have search with google but no relevant articles
>> > found, maybe I have not asked correct.
>>
>> Well, it's not very easy to find, but the "self" word is explained in
>> the manual.
>
> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load.
>
>
>
> --
> With best regards,
> B B B B Gregory Edigarov
