# question/help



## Silfro (Sep 24, 2013)

Hello, I'm working on a pf.conf.

What I want to do :
- allow outgoing traffic to 3 IP's and block all other.
- allow ingoing traffic from 3 IP's and block all other.

Hint: 4.4.4.4 Main Server IP / 5.5.5.5 = Website IP / 6.6.6.6 = Proxy Server (want everything to run through the proxy server).

This pf.conf is for the main server.

What I already have:

```
if = "{ em0 }"
allowed_ips = "{ 127.0.0.1, 4.4.4.4, 5.5.5.5, 6.6.6.6 }"

table <intranet> { 127.0.0.1 }
pass in quick from $allowed_ips to <intranet> keep state
pass out quick from <intranet> to $allowed_ips keep state

table <network> persist
block quick from <network>
pass in on $if proto tcp from $allowed_ips to $allowed_ips keep state
pass in on $if proto udp from $allowed_ips to $allowed_ips keep state
pass out on $if proto tcp from $allowed_ips to $allowed_ips keep state
pass out on $if proto udp from $allowed_ips to $allowed_ips keep state
block in on $if inet proto icmp all

block in all
block out all
pass in quick on lo0
pass out quick on lo0
pass in quick on em0 proto tcp from any to any port 22 keep state
pass in quick on em0 proto tcp from $allowed_ips to $allowed_ips port 3306 keep state

pass out quick on em0 proto tcp from $allowed_ips to $allowed_ips port 3306 keep state
```

I'm 100% sure there is something wrong and the reason I post here is if anyone can check it because I don't want to lose access to the server.


----------



## SirDice (Sep 25, 2013)

If you're doing this remotely load the ruleset like so:
`pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf.old`

That will load the rules from /etc/pf.conf.new, wait 60 seconds (so you can test) and load /etc/pf.conf.old. If you lock yourself out when loading the new ruleset, wait 60 seconds and the old rules will be loaded again. Obviously you can set the sleep a little longer if you want.


----------



## CoTones (Sep 25, 2013)

Obviously you didn't read the PF manual. It's written by the OpenBSD team, so it's a lot better than casual stuff. With good examples.


----------



## kpa (Sep 25, 2013)

It's a bad idea to try to restrict traffic on lo0 or have any kind of filtering on the 127.0.0.0/8 net because you very likely don't have the expertise to get the rules right. Just have this in your rules and leave lo0 and the localhost net 127.0.0.0/8 completely un-filtered:


```
set skip on lo0
```


----------



## SirDice (Sep 25, 2013)

Yes, the current rules allow traffic from 127.0.0.1 to 4.4.4.4 for example. This will never happen and is actually a violation of the RFCs. Traffic to/from 127.0.0.0/8 will never leave the host.


----------



## wblock@ (Sep 25, 2013)

The <network> table has no entries.


----------

