please chek my pf

[sonjaya]

i have bsd machine run as gateway + proxy ( running for internet acces
n dns forom my lan )
i want create rule , all internet request by proxy working fine , but
i see in pftop some protocol such as p2p aplication pass my gateway ,
how to block it .
p2p=edonkey and bittorent

bellow my script pf

ext_if=xl0
int_if=xl1
int_ip=127.0.0.1
ip_limited=192.168.0.50
tcp_allow={ 22, 80, 8080, 443, 113}
udp_allow={ 53, 113}
icmp_types=echoreq
set block-policy return
set skip on lo
scrub all
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp to port 80 - $int_ip port 8080
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 110 - 192.168.0.1
block all
pass out keep state
pass in on $ext_if inet proto tcp from any to {$ext_if} \
   port $tcp_allow flags S/SA keep state
pass in on $ext_if inet proto udp from any to {$ext_if} \
   port $udp_allow  keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if




-sonjaya-

Re: please chek my pf

[jacek]

hi

--
Jacek

On 9/28/06, sonjaya [EMAIL PROTECTED] wrote:

 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
 rdr on $ext_if proto tcp from any to any port 110 - 192.168.0.1
 block all
 pass out keep state


you should set rules per interface and what services you allow for outbound
connection , becasue in this above   you block all and then allow all
outbound conn ,for example

pass out on  $int_if  keep state
pass out on $ext_if  proto tcp  all port  $allow_tcp keep state
pass out on $ext_if  proto udp  all  port  $allow_udp keep state

pass in on $ext_if inet proto tcp from any to {$ext_if} \
 port $tcp_allow flags S/SA keep state
 pass in on $ext_if inet proto udp from any to {$ext_if} \
 port $udp_allow  keep state
 pass in inet proto icmp all icmp-type $icmp_types keep state
 pass in quick on $int_if




 -sonjaya-