PF and OSFP

[thegolum35]

Hi,

I'm having trouble with Packuet Filter. I'd like to only allow ssh incoming connection on port 22 if os ! windows. So I tried to do that:

int_if= "wlan0"
allowed_ports_out = "{80, 443, 1863, 21, 20}" # http; https; msn; ftp (2)

scrub in all
set skip on lo0

nat on $int_if from 172.16.0.10 to any -> ($int_if)

block in log all
block out log all
pass out on $int_if proto tcp from ($int_if) to any port $allowed_ports_out # usefull
pass out on $int_if proto udp from ($int_if) to {8.8.8.8, 8.8.4.4} port 53 # dns translation
pass out on $int_if proto icmp from ($int_if) to !($int_if:network) # allow outgoing icmp paquets (ping; traceroute)
pass out on $int_if proto tcp from ($int_if) to 192.168.1.53 port 22 
pass in log on $int_if proto tcp from any os ! "Windows" to ($int_if) port 22

However, pfctl -f /etc/pf.conf tells me that there is one error from line 15 ...

Thanks, Gollum

 

[DutchDaemon]

I'm not sure if negating ("!") works with this particular directive, so try a block quick rule followed by a pass rule.

E.g.

block in quick on $int_if inet proto tcp from any os "Windows" to ($int_if) port 22
pass in quick on $int_if proto tcp from any to ($int_if) port 22

 

[thegolum35]

I thank you much, it works !

Moreover, what do you think about my pf configuration ?

 

[DutchDaemon]

Use 'quick' whenever possible.

 

[thegolum35]

Okay.

Gollum