Hello folks,
I'd like some help with the following rules on pf.
I'm trying to block all https requests outgoing from my network and unblock
just some IPs.
The blocked IPs are allowed to access specifics sites that are placed in files
with the domain names that I want to allow, the unblocked_ips and
unblocked_sites files.
The pf rules:
antispoof for bge0
antispoof for bge1
set block-policy drop
set skip on lo
it_ips="{ 192.168.255.35, 192.168.255.36, 192.168.255.20 }"
tcp_services="{ 20 21 25 80 110 143 465 587 993 1020 3389 5223 5310 8017 8080
8081 22000 }"
udp_services="{ domain ntp 5223 33433:33626 }"
icmp_types="{ echorep, echoreq, unreach, squench, redir, timex }"
table <networks> persist file "/etc/pf/networks"
table <martians> persist file "/etc/pf/martians"
table <unblocked_sites> persist file "/etc/pf/unblocked_sites"
table <unblocked_ips> persist file "/etc/pf/unblocked_ips"
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from lan:network to any nat-to (egress:0)
block return in on ! lo0 proto tcp to port 6000:6010
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block on egress all
anchor "ftp-proxy/*"
pass in quick on lan inet proto tcp to port 80 divert-to 192.168.255.254 port
3129
pass in quick on lan inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on lan inet proto tcp from $it_ips to lan:0 port 22
pass quick on lan inet proto icmp icmp-type $icmp_types
pass on lan all
pass out quick on egress inet proto tcp from <unblocked_ips> to port https
pass out quick on egress inet proto tcp from !<unblocked_ips> to
<unblocked_sites> port https
pass out quick on egress inet proto icmp icmp-type $icmp_types
pass out on egress inet proto tcp to port $tcp_services
pass out on egress inet proto udp to port $udp_services
With these rules applied all IPs, even those that are supposed to be
unblocked, are being blocked.
I'll appreciate any help.
