# Deny specific hosts in a pf ruleset?



## flx- (Dec 10, 2009)

Hi guys i need some help writing my rule set for the office lan here where i work, so i can get the network connected to the internet with nat, and just a few ports allowed for the network operate as it should. But im having issues trying to deny specific hosts or better said the rest of the hosts and allow just some of them to connect to another host.

For better explanation here is my ruleset.

```
#by flx-
#Interfaces and Common Ports
externa="vr0"
interna="xl0"
red="{192.168.0.0/24}"
tcp_serv="{ssh, smtp, domain, http, ftp-data, ftp\
        pop3, auth, https, pop3s, 465, 3128, 8080,1863,6667}"

udp_serv="{domain, bootps, 3128, bootpc, ftp, ftp-data}"
denegados="{ssh, 3128, 8080, ftp, ftp-data}"
ecepciones="{192.168.0.3}"

table <adm-mr> persist file "/etc/maquinas/adm-mr"
table <lan> persist {192.168.0.0/24}

#Global PF Settings
set optimization high-latency
set block-policy drop
set skip on lo

#Normalization
scrub in all

#Nat
nat on $externa from $red to any -> $externa

#Rdr
rdr on $interna proto { tcp, udp } from any to any port 80 -> $interna port 3128

#Filtering
block log all
pass out log on $interna proto {tcp udp} from {<adm-mr>!<lan>} to qc-base
pass log proto tcp from any to any port $tcp_serv keep state
pass log proto udp to any port $udp_serv keep state
pass log inet proto icmp from any to any icmp-type echoreq keep state
```

Any ideas of what im doing wrong ?


----------



## SirDice (Dec 10, 2009)

Try this:

```
# This one's not really needed because you already have a block all:
block out log on $interna proto {tcp, udp) from <lan> to qc-base
# This allows everyone in <adm-mr>:
pass out log on $interna proto {tcp udp} from <adm-mr> to qc-base
```

You have to remember that pf doesn't stop parsing rules when it finds a hit. So if you start with a block then a less restrictive pass, the last one will be the one that works.

Another way to do it is like this:


```
externa="vr0"
interna="xl0"
lan = {192.168.0.0/24}

table <adm-mr> persist file "/etc/maquinas/adm-mr"

block log all
pass in on $interna from $lan to any keep state
block in on $interna from !<adm-mr> to any
```

The pass in allows all traffic from your lan to outside. The block blocks everything except the hosts in <adm-mr>. This means that only the hosts in <adm-mr> are able to access the internet.


----------



## flx- (Dec 10, 2009)

But what i want is to keep those ports on $tcp_serv and $udp_serv open so the entire network have access to internet and other services, the thing is that i just need to block all host on my lan and just give access to qc-base to those in table <adm-mr>


----------



## SirDice (Dec 10, 2009)

What is qc-base?


----------



## flx- (Dec 10, 2009)

Is a host defined at /etc/hosts


----------



## hedwards (Dec 16, 2009)

SirDice said:
			
		

> Try this:
> 
> ```
> # This one's not really needed because you already have a block all:
> ...


If you're really sure you want that to be the last rule that's interpreted, you can always use the "quick" keyword to have pf stop checking the packet at that point and just do whatever that rule says.

It's nice sometimes like when you know that you're a specific class of IP inside and want to block all other types quickly without wasting much processing power on it.


----------

