Volker wrote:
>
> Kevin,
>
> helping you with just this snippet of rules is like fishing in the
> dark.
>
> Your rules do the following: A connection coming from a single IP
> address (/32) is passing the firewall on the external IF. As it does
> not create state (no keep state option) the answer to that incoming
> connection will probably never reach the originating IP address.
>
> As you're logging but do not keep state, you're getting a whole
> bunch of log entries which might render your logs unreadable (every
> packet is being logged instead of every connection).
>
> If your rules work properly for other hosts (again, your snippet of
> rules is useless for supporting you) I'm wondering if your Vista
> machine does IPv6 and does not try v4? I don't know Vista at all but
> I guess v6 support is built in.
>
> Greetings,
>
> Volker
I was hoping that the issue was simple and common, due to Vista's emphasis
on ipv6 among other networking issues. Either way, below is my entire pf
configuration. I hope it helps.
### Firewalls are Sun Netra X1 UltraSPARC IIe 400
ext_if="dc1"
int_if="dc0"
loop_if="lo0"
internal_addr="xxx.xxx.xxx.x
external_addr="xx.xxx.xxx.xxx
internal_net="xxx.xxx.xxx.x
external_net="xx.xxx.xxx.xxx
### Load carp interfaces
c1="carp1"
c130="carp130"
c131="carp131"
c132="carp132"
c133="carp133"
c134="carp134"
c135="carp135"
c136="carp136"
c137="carp137"
c138="carp138"
c139="carp139"
c140="carp140"
c141="carp141"
c142="carp142"
c143="carp143"
c144="carp144"
c145="carp145"
c146="carp146"
c147="carp147"
c148="carp148"
c149="carp149"
c150="carp150"
c151="carp151"
c152="carp152"
c153="carp153"
c154="carp154"
c155="carp155"
c156="carp156"
c157="carp157"
c158="carp158"
c159="carp159"
c160="carp160"
c161="carp161"
c162="carp162"
c163="carp163"
c164="carp164"
c165="carp165"
c166="carp166"
c167="carp167"
c168="carp168"
c169="carp169"
c170="carp170"
c171="carp171"
c172="carp172"
c173="carp173"
c174="carp174"
c175="carp175"
c176="carp176"
c177="carp177"
c178="carp178"
c179="carp179"
c180="carp180"
c181="carp181"
c182="carp182"
c183="carp183"
c184="carp184"
c185="carp185"
c186="carp186"
c187="carp187"
c188="carp188"
InServicesTCP = "{ http, https }"
InServicesUDP = "{ domain, ntp, rpc }"
OutServicesTCP = "{ http, https, whois }"
OutServicesUDP = "{ ntp, domain, rpc }"
ProtoBlocked = "{ tcp, udp }"
table <carpext> const file "/etc/firewall/carp_extaddr.tbl"
table <private> const file "/etc/firewall/ip_localblock.tbl"
table <caught> persist file "/etc/firewall/ip_caught.tbl" file
"/etc/firewall/ip_exploit.tbl"
#table <excess_conns> file "/etc/firewall/excess_conns.tbl"
table <excess_conns_130> persist
table <excess_conns_131> persist
table <excess_conns_132> persist
table <excess_conns_133> persist
table <excess_conns_134> persist
table <excess_conns_135> persist
table <excess_conns_136> persist
table <excess_conns_137> persist
table <excess_conns_138> persist
table <excess_conns_139> persist
table <excess_conns_140> persist
table <excess_conns_141> persist
table <excess_conns_142> persist
table <excess_conns_143> persist
table <excess_conns_144> persist
table <excess_conns_145> persist
table <excess_conns_151> persist
table <excess_conns_ftp130> persist
table <excess_conns_ftp135> persist
table <excess_conns_ftp143> persist
table <webips> const file "/etc/firewall/web_server_ips.tbl"
#table <sshhacks> persist file "/etc/firewall/ssh_hackers.tbl"
table <sshhacks> persist
table <sendmail_hacks> persist file "/etc/firewall/sendmail_hacks.tbl"
table <blacklistproxies> persist file "/etc/firewall/blacklistproxies.tbl"
table <port_scans> persist file "/etc/firewall/port_scanners.tbl"
#### open for unabated users
table <unabated> { xx.xxx.xxx.xxx }
#### nfs table for hosts
#table <nfs> { xxx.xxx.xxx.x
##### Safe users
table <safeusers> { xxx.xxx.xxx.x }
# Options: tune the behavior of pf, default values are given.
set timeout { interval 30, frag 60, src.track 180 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 2000000, frags 1000000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all
### rdr's
rdr on $ext_if proto tcp from any to ($c130) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c131) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c136) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c137) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c138) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c139) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c140) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c141) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c142) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c144) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c145) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c146) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c148) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c149) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c150) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 80 -> xxx.xxx.xxx.x
### Port 443 required mappings
rdr on $ext_if proto tcp from any to ($c131) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 443 -> xxx.xxx.xxx.x
#### Port 22 maps
rdr on $ext_if proto tcp from any to ($c130) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c169) port 22 -> xxx.xxx.xxx.x
##### Port 21 / FTP
rdr on $ext_if proto tcp from any to ($c130) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c130) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 2121 -> xxx.xxx.xxx.x
##### Port 21 / FTP
rdr on $ext_if proto tcp from any to ($c130) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 20 -> xxx.xxx.xxx.x
##### Passiv3 mod3 FtP
rdr on $ext_if proto tcp from any to ($c130) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 50000:50050 ->
xxx.xxx.xxx.x
##### Port 873 for rsync
rdr on $ext_if proto tcp from any to ($c143) port 873 -> xxx.xxx.xxx.x
####### Nat back out for connections initiated behind the firewall
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
### Carp specific pass rules
pass quick on { dc0 } proto pfsync
pass quick on { dc0 dc1 } proto carp keep state
#### Before block in all is turned back on make sure you don't get locked
out
#### allow safeusers
pass in quick on $ext_if inet proto tcp from <unabated> to any flags S/SA
keep state
pass in quick on $ext_if inet proto udp from <unabated> to any keep state
pass in quick on $ext_if inet proto icmp from <unabated> to any keep state
### Office for Vista issue -- no state
pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any
# Filtering ---- first up is the default block
block in all
#block in on $ext_if
### block private addresses
block drop in quick on $ext_if from <private> to any
block drop out quick on $ext_if from any to <private>
### Allow NFS traffic
pass in quick on $int_if inet proto tcp from <nfs> to xxx.xxx.xxx.x
pass in quick on $int_if proto udp from <nfs> to xxx.xxx.xxx.x
pass out quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass out quick on $int_if inet proto udp from xxx.xxx.xxx.x
# Allow safehost access to web / FTP
pass in quick on $ext_if inet proto tcp from <safeusers> to <webips> port
$InServicesTCP flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto icmp from <safeusers> to <webips> keep
state
#### Block sendmail hacks & port scans
block drop quick from <sendmail_hacks>
block drop quick from <port_scans>
#### Block Excess connections - DoS - SSH hackers - but allow for them to
recieve the generic message
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_130> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_131> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_132> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_133> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_134> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_135> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_136> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_137> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_138> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_139> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_140> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_141> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_142> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_143> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_144> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_145> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_151> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp130>
to any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp135>
to any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp143>
to any
### catch ssh hacks
pass in quick on $ext_if inet proto tcp from any to any port 22 flags S/SA
keep state (max-src-conn 1, max-src-conn-rate 1/200, overload <sshhacks>
flush global)
pass in quick on $int_if inet proto tcp from any port 22 to any flags
SA/SAFR keep state
### block caught
pass out quick on $ext_if from any to xx.xxx.xxx.xxx
pass in quick on $ext_if from xx.xxx.xxx.xxx
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
block drop in quick on $ext_if from <caught> to any
block drop in quick on $ext_if from <carpext> to any
block drop in quick on $ext_if from $ext_if to any
block drop out quick on $ext_if from any to <carpext>
block drop out quick on $ext_if from any to $ext_if
#### Explicit allow connections into the f/wall from the internal network
pass in quick on $int_if proto tcp from $internal_net to $internal_addr port
22 flags S/SA keep state
pass in quick on $int_if proto udp from $internal_net to $internal_addr port
53 keep state
pass in quick on $int_if proto icmp from $internal_net to $internal_addr
keep state
##### Apply anti-spoof blocks
block drop in quick on $int_if from any to <private>
block drop in quick on $int_if from any to $internal_net
##### loopback interface
pass in quick on $loop_if all
pass out quick on $loop_if all
## block web access to this hosts BASE
block drop in quick on $ext_if proto tcp from any to $external_addr port 443
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
#### FtP SerViCeS --- 21 and PasSiVe
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
###(max-src-conn 74, max-src-conn-rate 100/2, overload <excess_conns_ftp130>
flush global)
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
###### allow mail rsync, etc
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass out quick on $ext_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $ext_if inet proto udp from any to any port 2620
pass in quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA
keep state
pass in quick on $ext_if inet proto udp from any to any port 2620
pass out quick on $int_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $int_if inet proto udp from any to any port 2620
##### dns services have to be allowed
pass in quick on $ext_if inet proto udp from any to $external_addr port 53
keep state
pass in quick on $ext_if inet proto udp from any port 53 to $internal_net
keep state
pass in quick on $ext_if inet proto udp from any port 53 to any keep state
#### temp. ftp outbound for port updates / src updates / etc
#pass in quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass in quick on $int_if inet proto tcp from any to any port 21 keep state
#pass out quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass out quick on $int_if inet proto tcp from any to any port 21 keep state
##### with the block in all allow ns-2 full acess
######## END OF INBOUND allows on the ExTeRnAL InterFac3 ########
### allow SA responses back to initial SYN inbounds
pass in quick on $int_if proto tcp from <webips> port 80 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 443 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 21 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 20 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 50000:50050 to any
flags SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> to <unabated> flags SA/SAFR
keep state
pass in quick on $int_if proto udp from <webips> to <unabated> keep state
pass in quick on $int_if proto icmp from <webips> to <unabated> keep state
pass in quick on $int_if proto tcp from <webips> to <safeusers> flags
SA/SAFR keep state
pass in quick on $int_if proto udp from <webips> to <safeusers> keep state
pass in quick on $int_if proto icmp from <webips> to <safeusers> keep state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
### Vista rules
pass in log quick on $int_if proto tcp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto udp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto icmp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
############ Some outbound rules ###########
pass out quick on $ext_if proto udp from $external_addr to any port 123 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 22 flags
S/SA keep state
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 80 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 43 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 443
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 5999
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to xxx.xxx.xxx.x/32
port 25 flags S/SA keep state
#allow traceroute from fw -> host , this is really slow and doesnt work
properly
#pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep
state
#pass out quick on $ext_if inet proto udp from any to any port 33433 ><
33626 keep state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto udp from $internal_net to any port 53 keep
state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto udp from $internal_net to any port 123 keep
state
pass in quick on $int_if proto icmp from $internal_net to any keep state
pass in quick on $int_if proto tcp from $internal_net to any port 43 flags
S/SA keep state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x