Je 2017-10-20 12:59, Markus Rosjat skribis:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return # block stateless traffic
block inet6
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
pass out on $ext_if inet proto tcp from ($ext_if) port { https,
submission }
and what I expect is the following:
- traffic ipv4 and ipv6 gets blocked -> general deny
- I let enter ssh traffic
- I let enter https traffic
- I let out treffic on https und submission port
- I should not be able to establish a ssh connection from this host to
another machine but should connect to be able to connect to this
machine
what I notice is I can initiate a ssh connection from this machine. So
there are three possible answers to this:
- 1st with allowing ssh traffic in the first place ssh port will be
considered passable from both sites of the nic. Which would somehow
makes no sense to me at all because its a explicit in rule
- 2nd the ssh connection initiated is somehow considered coming fom lo
and for that not passed to the following rules
- 3rd my rules are just wrong :)
So for all the more skilled human beings out there can you help me with
it?
regards
Hello,
I'm not a pf expert but you did not block traffic at all.
You may want to use "block all" instead of block return
Have a look at the differents examples : https://www.openbsd.org/faq/pf/
