I think that you need to add this kind of rule
And then for SSH
Code:
00200 allow tcp from any to any 22 in via $interface setup keep-state
00200 allow tcp from any to any 22 out via $interface setup keep-state
The check-state rules will allow a packet that match the dynamic rules to pass
Sorry, but this is a bit superfluous. The 'check-state'is not necessary in this example, because 'keep-state' implies check-state already. Also, the second 200 rule is for outgoing ssh sessions, from the machine to other hosts.
More in general:
With such an approach for a "simple" firewall one will usually run into a bunch of problems, in the line of:
* [admins: where is the unordered list gone?]
* almost everything that connects to the internet, relies on DNS. How is the machine going to resolve their nameserver queries?
* how is the machine going to adjust their machine time? (timed or NTP)
* the nightly
daily
script will usually download the port vulnerability lists from somewhere. How is this going to work?
* there may be more, this are just those I remember consciously.
So, usually you cannot live without
outgoing requests, and you will start adding rules, and almost certainly this will produce a growing amount of spaghetti and finally end up unmaintainable. And, if the thing can be accessed from the internet, this is going to become dangerous.
For the given use-case of the OP we already have a solution in place, it is called the
Workstation setup. This is taking care for the basic functionality, and can be configured in
rc.conf. See
/etc/rc.firewall for details. Here we have these options:
Code:
# firewall_myservices: List of ports/protocols on which this
# host offers services.
# firewall_allowservices: List of IPv4 and/or IPv6 addresses
# that have access to
# $firewall_myservices.
These could be configured to the required ports 22 and 8080.