Re: a pf question maybe asked a 1000 times

Fri, 20 Oct 2017 04:12:31 -0700 

I don't know the answer but I'm curious.  What does "pfctl -sr" command
show?  Can you do dns lookups?

PS - my rules have the "pass out all" rule at the bottom.

V/r,
Bryan

On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat <ros...@ghweb.de> wrote:

> Hi there,
>
> I was wondering, after reading mr hansteens excelent book about pf and the
> man pages, if I got it all wrong :)
>
> so here is my example pf.conf
>
> ext_if="hvn0"
>
> set skip on lo
>
> block return    # block stateless traffic
> block inet6
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
> pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
>
> pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission
> }
>
> and what I expect is the following:
>
>  - traffic ipv4 and ipv6 gets blocked -> general deny
>  - I let enter ssh traffic
>  - I let enter https traffic
>  - I let out treffic on https und submission port
>  - I should not be able to establish a ssh connection from this host to
>    another machine but should connect to be able to connect to this
>    machine
>
> what I notice is I can initiate a ssh connection from this machine. So
> there are three possible answers to this:
>
>  - 1st with allowing ssh traffic in the first place ssh port will be
>    considered passable from both sites of the nic. Which would somehow
>    makes no sense to me at all because its a explicit in rule
>  - 2nd the ssh connection initiated is somehow considered coming fom lo
>    and for that not passed to the following rules
>  - 3rd my rules are just wrong :)
>
> So for all the more skilled human beings out there can you help me with it?
>
> regards
>
> --
> Markus Rosjat    fon: +49 351 8107223    mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
> <https://maps.google.com/?q=K%C3%B6nigsbr%C3%BCcker+Str.+70,+01099+Dresden&entry=gmail&source=g>
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

Reply via email to