Block port to outgoing

[cracker1985]

Hello everyone!

I need to block port 445 (from this port someone attacked) from my internal network to Internet. My pf conf as below:

ext_if="em0"
ext_ip="x.x.x.x"
int_if="vr0"
sync_if="msk0"
vlan1000_if="vlan1000"
safe_ports="{ 53,8080,22,8140 }"
safe_nat_ports="{ 110,25,143,993,443,587,465,995,3000,389,21,20,53 }"
table <clients> persist file "/etc/clients.conf"

#scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from y.y.y.y/25 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from z.z.z.z/21 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from <clients> to any -> $ext_ip
anchor "ftp-proxy/*"

#block in
#pass out
pass in all
pass out all

 

[ShelLuser]

The answer lies in the pf.conf(5) manualpage:

     # NAT PROXYING
     # Map outgoing packets' source port to an assigned proxy port instead of
     # an arbitrary port.
     # In this case, proxy outgoing isakmp with port 500 on the gateway.
     nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \
           port 500

So instead of checking for the originating port to match something, inverse that check and set up a check for any ports except 445.

Even so, this won't solve anything. If something launched an attack from your network then the originating port should be the least of your worries. Instead; focus on what they've attacked and put your attention on that. Better yet; focus on the source of the attack.

Blocking the source port won't help you because it would be peanuts to change that into something else.

 

[SirDice]

I agree, deal with the cause, don't try to cover the symptoms.

 

[cracker1985]

Thank you for answer.

I am sorry for the dumb question, because I am new to UNIX. Can I block outgoing port 445 in my pf.conf like that?

block out quick on ext_if proto tcp to port 445