First, thanks to Stuart and Tihomir
On 15/01/2008, at 5:23 AM, Stuart Henderson wrote:
On 2008/01/14 07:49, Tihomir koychev wrote:
one other question: Will pfctl expand port != {53, ...} ?
Yes it will
http://www.openbsd.org/faq/pf/macros.html
not for port number.
(and see the warning on that page for lists of addresses :-)
nor does proto ! {list} as I have found out (i'm not surprised given
the way pf works).
----- Original Message ----
From: Russell Fulton <[EMAIL PROTECTED]>
To: pf@benzedrine.cx
Sent: Monday, January 14, 2008 5:24:59 AM
Subject: protocol in rules
pass out quick on $ext_if proto {udp,tcp} from any to any port != 53
keep state
But now how do I allow all the other protocols ? I can enumerate the
common ones but this is untidy and error prone.
Slightly ugly, but how about this?
pass out quick on $ext_if proto {udp,tcp} from <external> to port 53
block out quick on $ext_if proto {udp,tcp} to port 53
pass out quick on $ext_if
the problem is that there are subsequent rules that allow DNS traffic
for various name servers. I can change the rule set to put these
rules above the external rule and then simply block 53. Looking at it
now I think this is by far the cleanest way of dealing with the
problem, I do something similar with our mailservers.
I think I would be looking at converting the ruleset to use tags
though. It is a major change but I find it much easier to work with.
http://www.openbsd.org/faq/pf/tagging.html
Policy filtering is very good for some applications -- in our case we
have entries for about 700 systems and that is not counting the 7000
systems in the external table.
Russell
