On 17/10/20 12:59, Markus Rosjat wrote:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return # block stateless traffic
block inet6
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }
and what I expect is the following:
- traffic ipv4 and ipv6 gets blocked -> general deny
- I let enter ssh traffic
- I let enter https traffic
- I let out treffic on https und submission port
- I should not be able to establish a ssh connection from this host to
another machine but should connect to be able to connect to this
machine
what I notice is I can initiate a ssh connection from this machine. So
there are three possible answers to this:
- 1st with allowing ssh traffic in the first place ssh port will be
considered passable from both sites of the nic. Which would somehow
makes no sense to me at all because its a explicit in rule
- 2nd the ssh connection initiated is somehow considered coming fom lo
and for that not passed to the following rules
- 3rd my rules are just wrong :)
So for all the more skilled human beings out there can you help me with it?
Can you do an ssh to all hosts, or did you try to ssh to the from which
you ssh in?
H1 is yours, H2 is the server with the rules above, H3 some other
machine:
1) H1 --ssh--> H2
and then you did H2 --ssh--> H1
Or 2) H2 --ssh--> H3?
In case 1 I would expect that it works because the state should allow
that. Only when the connection is terminated, it shouldn't be possible
anymore to ssh from H2 to H1.
Niels
