# PF rules question



## mefizto (Oct 22, 2010)

Greetings all,

this is my first attempt to write a rule-set for PF firewall:


```
# Macros
#Interfaces
ExtInt="bge0"

#Services
TcpServices="{ssh, www, https, domain, smtp}"
UdpServices="{domain}"
IcmpTypes="{echoreq, unreach}"  #Ping
MailPorts="{smtp, imaps}"

# Tables

# Global Options
set loginterface $ExtInt        #Log all traffic on ExtInt
set block-policy return         #Filter Rule catch-all
set skip on lo                  #Do not filter lo interface traffic

# Traffic Normalization
#Scrub all packets
scrub in on $ExtInt all fragment reassemble
scrub out on $ExtInt all fragment reassemble random-id no-df #Fool monitoring

# Queueing Rules

# Network Address Translation

# Filter rules
block all                        #Block all traffic

block in quick from urpf-failed to any   #Activate spoofing protection
antispoof quick for {lo,$ExtInt} #Activate antispoofing

#TCP policy
block return-rst in on $ExtInt proto TCP all
pass in quick on $ExtInt proto TCP from any to $ExtInt port $TcpServices keep state

#UDP policy
block in on $ExtInt proto UDP all       #Block all incomming UDP traffic

#ICMP policy
block in on $ExtInt proto ICMP all
pass in quick on $ExtInt inet proto ICMP from any to $ExtInt icmp-type $IcmpTypes k
eep state

# Other traffic
block out on $ExtInt all
pass out quick on $ExtInt from $ExtInt to any keep state
```

The "Other traffic" rules permit unrestricted traffic to leave the firewall.  However, I  would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc.  I thought that modifying the last line as follows:


```
-pass out quick on $ExtInt from $ExtInt to any keep state
+pass out quick on $ExtInt from $ExtInt port $TcpServices to any keep state
```

would accomplish this, but I get an error:


```
port only applies to tcp/udp
```

I do not understand why.  In my understanding the IP addresses assigned to the $ExtInt interface will be substituted into the rule, and according to the syntax:


```
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
   [from src_addr [port src_port]] [to dst_addr [port dst_port]] \
   [flags tcp_flags] [state]
```

I am allowed to use src_port.  Any help would be appreciated.

Kindest regards,

M


----------



## SirDice (Oct 22, 2010)

mefizto said:
			
		

> The "Other traffic" rules permit unrestricted traffic to leave the firewall.  However, I  would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc.  I thought that modifying the last line as follows:
> 
> 
> ```
> ...



A rule without a *proto* applies to UDP, TCP and ICMP. Since ICMP doesn't have port numbers it is a syntax error. You are also checking on the source port instead of the destination port. Change the rule to:

```
pass out quick on $ExtInt proto tcp from $ExtInt to any port $TcpServices keep state
```


----------



## mefizto (Oct 25, 2010)

Thank you, SirDice.  Worked like a charm.

M


----------

