"block all" Permit inbound port 80, but do not permit new outbound connections. Consider each interface a separate firewall, with separate flows entirely, then use policy enforcement (see tagging: http://cvs.openbsd.org/faq/pf/tagging.html) to ensure only properly tagged packets are passed out from the firewall.
Nice thing about pf: stateful tracking of connections. It makes tracking sessions, blocking unwanted traffic, and tagging systems much easier. http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html On Sun, Sep 25, 2011 at 11:18 PM, Hassan Monfared <[email protected]> wrote: > Hi, > Any idea for denying connection initiation to outside from any web server > protected by PF? ( wanna block Trojans and reverse connections while > incomming http traffic is allowed) . > > Regards, > Hassan H. Monfared
