BSD PF Rule question

lil_drummaboy · 12-24-2004, 10:10 PM

Hi,

On my router i want to be able to access ftp/http/etc but I cannot with the current ruleset I have, If i put:

Code:

pass in on $ext_if proto tcp from any to $ext_if

...it works fine but that makes a giant security hole for anyone to exploit. Also turning off PF entirely works aswell but I would like to access the internet while my PF is running. Someone told me a "flags S/SA" would work and only allow connections already made to come back or something along those lines, but that did not work. I think he said to block quick SYN flags then allow the ports under that rule but that didn't work either.

Any suggestions?

zaicheke · 12-24-2004, 10:26 PM

This only passes traffic in on my internal network if it orginally came from my internal network. So i can access everything but no one can access me.

pass in on $int_if from $int_if:network to any keep state

lil_drummaboy · 12-24-2004, 10:58 PM

great! thanks alot!

merry christmas.

lil_drummaboy · 12-24-2004, 11:09 PM

no wait, that didn't work.

I put in....

Code:

pass in quick on $ext_if inet from $ext_if:network to any keep state

and all it translated to was....

Code:

pass in quick on xl0 inet from 192.168.1.0/24 to any keep state

that doesn't allow me to connect to the net, it allows traffic from my LAN into my router.

zaicheke · 12-26-2004, 08:59 PM

it works for me. I can access the net with it and i can't ssh to my box unless the box i'm sshing from is on the network. Plus this is a line i got from the PF users guide. It's all there.