On Thu, Sep 25, 2025 at 10:27:52AM +0300, kasak wrote:
> This is my simplified pf.conf (i've cropped some variables, i think they are
> intuitive):
[ ... ]
> block in on $ext_if
>
> pass in on $ext_if inet proto tcp from $admin to $ext_if port ssh
>
> pass in quick on em0 inet proto tcp to em0 port { smtp, www, https,
> submission }
>
> #Block 25 port from lan
> #block out quick on egress proto tcp from !self to any port 25
>
> #Enable NAT
> pass out on $ext_if inet from $newlan nat-to $ext_ip
> pass out on $ext_if inet from $guest_vpn to ! <mynets> received-on pppx
> nat-to $ext_ip
It's usually more helpful to show the whole pf.conf rather than just parts,
because here you're using a mixture of $ext_if, em0, and egress, and it's
not 100% obvious at first glance whether there is a reason for this, whether
they are the same or different interfaces, or whether this pf.conf has been
constructed from examples of lines picked from diverse examples across the
web.
But if you look at the manual page for pf.conf, you'll see that 'self':
'expands to all addresses assigned to all interfaces'
... which is almost certainly not what you want.
Maybe you want something like:
block out quick on $ext_if proto tcp from !$ext_if to any port 25
> Maybe there is better solution?
There is.
Block _all_ outbound traffic, and just allow the specific ports that you
actually require.
If this is a simple setup with just two interfaces, it shouldn't be too
difficult to work out the required flows. You can probably avoid using a
mixture of quick and non-quick rules as well, which will make the pf.conf
easier to read and probably less error-prone to edit at a later date.
