Good point. Thank you. I have removed set skip lo0 Why did the antispoof not work for vio0?
On Monday 10 November 2025 at 06:27:59 pm AWST, Zé Loff <[email protected]> wrote: On Mon, Nov 10, 2025 at 09:42:57AM +0000, dirk coetzee wrote: > Hi All, > > I am seeing ssh authentication attempts on my lo0 interface (127.0.0.1). I > have antispoofing configured. Unfortunately due to unchangeable > circumstances, SSH (TCP/50022) is exposed. > > Any idea if my antispoofing configuration is incorrect? Or any other > suggestions to mitigate SSH connections from lo0? > > Please note - SSH is configured to listen on TCP/50022. Not TCP/5273, so i > have no idea how or why SSH is responding on TCP/5273. sshd isn't responding on port 5273, that's the source port. I.e., the connection is coming from a client running on the host itself. Also, you have "set skip on lo" at the top of your ruleset, so your not doing any (pf) filtering on loopback interfaces. All your "pass/block on lo0" rules are useless. > > > Regards > dirk > > > ############################################################################### > > ### Logs ### > ### /var/log/authlog ### > Nov 3 21:27:46 server-1 sshd-session[46091]: Connection from 127.0.0.1 port > 48186 on 127.0.0.1 port 50022 rdomain "0" > Nov 3 21:27:46 server-1 sshd-session[46091]: User root from 127.0.0.1 not > allowed because a group is listed in DenyGroups > Nov 3 21:27:48 server-1 sshd-session[46091]: Connection closed by invalid > user root 127.0.0.1 port 48186 [preauth] > Nov 3 21:27:48 server-1 sshd[30737]: srclimit_penalise: ipv4: new > 127.0.0.1/32 deferred penalty of 30 seconds for penalty: failed authentication > Nov 3 21:33:19 server-1 sshd-session[42309]: Connection from 127.0.0.1 port > 5273 on 127.0.0.1 port 50022 rdomain "0" > Nov 3 21:33:19 server-1 sshd-session[42309]: User root from 127.0.0.1 not > allowed because a group is listed in DenyGroups > Nov 3 21:33:23 server-1 sshd-session[42309]: Connection closed by invalid > user root 127.0.0.1 port 5273 [preauth] > Nov 3 21:33:23 server-1 sshd[30737]: srclimit_penalise: ipv4: new > 127.0.0.1/32 deferred penalty of 30 seconds for penalty: failed authentication > > ############################################################################### > > ### /etc/pf.conf > # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ > # > # See pf.conf(5) and /etc/examples/pf.conf > > # ---=== Global Config ====---- > set skip on lo > set block-policy drop > set syncookies adaptive (start 33%, end 12%) > set reassemble yes no-df > set ruleset-optimization none > set optimization aggressive > set limit { states 20000, frags 20000, src-nodes 5000, table-entries 2000000 } > match in all scrub (no-df random-id max-mss 1440) > > # ---=== Macros ===--- > ports_dns = "{ 53, 853 }" > icmp_useful = "{ echoreq, unreach, timex, timereq }" > icmp6_useful = "{ echoreq, unreach, timex, routersol, neighbrsol, > routeradv, neighbradv }" > ip_ext1 = "{ vio0:0 }" > > # ---=== Tables ===--- > table <bruteforce> persist > table <sshguard> persist > table <sshd_block> persist file "/etc/pf.files/table_sshd_block.txt" > table <script1_block> persist file "/etc/pf.files/script1_block.txt" > table <geoblock> persist file "/etc/pf.files/zones/pf.geoblock.master" > table <githubblkdips> persist file "/etc/pf.files/github_blkd_ips.txt" > table <martians> persist file "/etc/pf.files/martians.txt" > table <snortips> persist file "/etc/pf.files/snortips.txt" > table <wwlogpf> persist file "/etc/pf.files/wwwintrusions.txt" > > # ---=== Block: IPv6 rules ===--- > block in quick log on egress inet6 from any to self label "Rule:$nr on > $if. Block IPv6 Inbound." > block out quick log on egress inet6 from self to any label "Rule:$nr on > $if. Block IPv6 Outbound." > > # ---=== AntiSpoof rules ===-- > antispoof log quick for { lo0, vio0, wg0, tun0 } label "Rule:$nr $if $proto > $dstaddr $dstport. Antispoof rule." > block quick log on lo0 inet proto tcp from any to self port { > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF > Failure." > block quick log on lo0 inet proto udp from any to self port 51820 > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log on lo0 inet6 proto tcp from any to self port { > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF > Failure." > block quick log on lo0 inet6 proto udp from any to self port 51820 > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log from urpf-failed label > "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log inet proto tcp from any port <1024 to self port > {80,443,50022} label "Rule:$nr $if $proto $dstaddr $dstport. Reflection > Attack" > block quick log inet proto udp from any port <1024 to self port > 51820 label "Rule:$nr $if $proto $dstaddr $dstport. Reflection > Attack" > > # ---=== Block: Martians ===--- > block in quick log on egress inet from <martians> to self > label "Rule:$nr on $if. Block Martians Inbound." > block out quick log on egress inet from self to <martians> > label "Rule:$nr on $if. Block Martians Outbound." > > # ---=== Default OpenBSD Rules ===--- > block return in on ! lo0 proto tcp to port 6000:6010 label "Rule:$nr on $if. > Default OpenBSD rule - X11" > block return out log proto {tcp udp} user _pbuild label "Rule:$nr on $if. > Default OpenBSD rule - pbuild" > > # ---=== Block: SSH Guard ===--- > block in quick log on egress from <sshguard> to self label > "Rule:$nr on $if. SSH Guard Inbound." > block out quick log on egress from self to <sshguard> label > "Rule:$nr on $if. SSH Guard Outbound." > block in quick log on egress from <sshd_block> to self label > "Rule:$nr on $if. SSH Block Script Inbound." > block out quick log on egress from self to <sshd_block> label > "Rule:$nr on $if. SSH Block Script Outbound." > > # ---=== Geo Fencing ===--- > block in quick log from <geoblock> to self label > "Rule:$nr on $if. GeoBlock Inbound." > block return out quick log from self to <geoblock> label > "Rule:$nr on $if. GeoBlock Outbound." > > # ---=== Block: Snort Intrusion Prevention ===--- > block in quick log on egress from <snortips> to self label > "Rule:$nr on $if. Snort IPS Block Inbound." > block out quick log on egress from self to <snortips> label > "Rule:$nr on $if. Snort IPS Block Outbound." > > # ---=== Block: WWW log file parsed offenders ===--- > block in quick log on egress from <wwlogpf> to self label > "Rule:$nr on $if. WWW offenders Inbound." > block out quick log on egress from self to <wwlogpf> label > "Rule:$nr on $if. WWW offenders Outbound." > > # ---=== Block: Scripted Block Lists ===--- > block in quick log on egress from <script1_block> to self label > "Rule:$nr on $if. Bad IPs Block List Inbound." > block out quick log on egress from self to <script1_block> label > "Rule:$nr on $if. Bad IPs Block List Outbound." > block in quick log on egress from <githubblkdips> to self label > "Rule:$nr on $if. GitHub Repo Banned IPs Inbound." > block out quick log on egress from self to <githubblkdips> label > "Rule:$nr on $if. GitHub Repo Banned IPs Outbound." > > # ---=== Block: Bruteforce Protection ===--- > block in quick log on egress from <bruteforce> to self label > "Rule:$nr on $if. Bruteforcers Inbound." > block out quick log on egress from self to <bruteforce> label > "Rule:$nr on $if. Bruteforcers Outbound." > > # ---=== Inbound Access: SSH Allow and Source Track ===--- > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 50022 flags S/SA synproxy state (source-track rule, max-src-conn 3, > max-src-conn-rate 3/10, overload <bruteforce> flush global, src.track 600) > label "Rule:$nr on $if interface. Inbound SSH." > > # ---=== Inbound Access: HTTP/S ===--- > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 80 flags S/SA synproxy state (source-track rule, max-src-conn 64, > max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600) > label "Rule:$nr on $if interface Inbound HTTP." > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 443 flags S/SA synproxy state (source-track rule, max-src-conn 64, > max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600) > label "Rule:$nr on $if interface Inbound HTTPS." > > # ---=== Inbound Access: Wireguard ===--- > pass in quick log on egress inet proto udp from any port >1023 to > $ip_ext1 port = 51820 keep state (source-track rule, max-src-conn 30, > overload <bruteforce> flush global, src.track 3600) label "Rule:$nr on $if > interface. Inbound Wireguard VPN." > pass in quick log on wg0 inet proto tcp from wg0:network port >1023 to > wg0:0 port = 50022 label "Rule:$nr on $if interface. Inbound WG SSH." > pass in quick log on wg0 inet proto icmp from wg0:network to > $ip_ext1 label "Rule:$nr on $if interface. Inbound WG ICMP." > block in quick log on egress inet proto udp from any to > self port = 51820 label "Rule:$nr on $if interface. Inbound Wireguard VPN." > > # ---=== User Oubound Rules: dhcp ===--- > pass out quick log inet proto udp from self port {67,68} > to 255.255.255.255 port {67,68} user _dhcp label "$nr: Allow DHCP service on > ports 67 68" > block out quick log inet proto {tcp udp} from self > to any group _dhcp label "$nr: Block DHCP service" > > # ---=== Outbound Access: NTP ===--- > pass out quick log inet proto udp from self port >1023 to any port 123 user > _ntp set tos ef label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet6 proto udp from self port >1023 to any port 123 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet proto tcp from self port >1023 to any port 443 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet6 proto tcp from self port >1023 to any port 443 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > block out quick log inet proto { tcp udp } from self group _ntp > label "Rule:$nr on $if interface. Block NTP Out." > block out quick log inet6 proto { tcp udp } from self group _ntp > label "Rule:$nr on $if interface. Block NTP Out." > > # ---=== Outbound Access: UnWind ===--- > pass out quick log inet proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv4" > pass out quick log inet6 proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv6" > pass out quick log inet proto tcp from self to any port 443 > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check" > pass out quick log inet6 proto tcp from self to any port 443 > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check" > block out quick log inet proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Block any service DNS Out4" > block out quick log inet6 proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Block any service DNS Out6" > block out quick log inet proto { tcp udp } from self > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule," > block out quick log inet6 proto { tcp udp } from self > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule," > > # ---=== Outbound Access: DHCPD ===--- > pass out quick log inet proto { tcp udp } from self to any port 67:68 group > _dhcp label "Rule:$nr on $if interface. DHCPD." > pass out quick log inet6 proto { tcp udp } from self to any port 67:68 group > _dhcp label "Rule:$nr on $if interface. DHCPD." > block out quick log inet proto { tcp udp } from self group > _dhcp label "Rule:$nr on $if interface. DHCPD." > block out quick log inet6 proto { tcp udp } from self group > _dhcp label "Rule:$nr on $if interface. DHCPD." > > # ---=== Outbound Access: from pkgfetch ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound" > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound" > block out quick log inet proto { tcp udp } from self to any group _pkgfetch > label "Rule:$nr on $if interface. Block Pkg." > block out quick log inet6 proto { tcp udp } from self to any group _pkgfetch > label "Rule:$nr on $if interface. Block Pkg." > > # ---=== Outbound Access: from syspatch ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound." > block out quick log inet proto { tcp udp } from self to any group _syspatch > label "Rule:$nr on $if interface. Block Syspatch" > block out quick log inet6 proto { tcp udp } from self to any group _syspatch > label "Rule:$nr on $if interface. Block Syspatch" > > # ---=== Outbound Access: from freshclam ===--- > ## pass out quick log inet proto { tcp } from self port >1023 to any port > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out." > ## pass out quick log inet6 proto { tcp } from self port >1023 to any port > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out." > block out quick log inet proto { tcp udp } from self to any group _clamav > label "Rule:$nr on $if interface. Block Freshclam." > block out quick log inet6 proto { tcp udp } from self to any group _clamav > label "Rule:$nr on $if interface. Block Freshclam." > > # ---=== Outbound Access: from root ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 80 > user root label "Rule:$nr on $if interface. Root HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80 > user root label "Rule:$nr on $if interface. Root HTTP Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user root label "Rule:$nr on $if interface. Root HTTPS Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user root label "Rule:$nr on $if interface. Root HTTPS Out." > block out quick log inet proto { tcp udp } from self to any user root > label "Rule:$nr on $if interface. Block root out." > block out quick log inet6 proto { tcp udp } from self to any user root > label "Rule:$nr on $if interface. Block root out." > block out quick log inet proto { tcp udp } from self to any group wheel > label "Rule:$nr on $if interface. Block wheel out." > block out quick log inet6 proto { tcp udp } from self to any group wheel > label "Rule:$nr on $if interface. Block wheel out." > > # ---=== Outbound Access: from dirk ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 22 > user dirk label "Rule:$nr on $if interface. Dirk SSH Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 22 > user dirk label "Rule:$nr on $if interface. Dirk SSH Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 43 > user dirk label "Rule:$nr on $if interface. Dirk Whois Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 43 > user dirk label "Rule:$nr on $if interface. Dirk Whois Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 80 > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80 > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out." > block out quick log inet proto { tcp udp } from self to any group dirk label > "Rule:$nr on $if interface. Block Dirk." > block out quick log inet6 proto { tcp udp } from self to any group dirk label > "Rule:$nr on $if interface. Block Dirk." > > # ---=== ICMP Outbound Rules ===--- > pass out quick log inet proto icmp from self to any icmp-type > $icmp_useful label "Rule:$nr on $if interface. ICMP Outbound." > pass out quick log inet6 proto icmp6 from self to any icmp6-type > $icmp6_useful label "Rule:$nr on $if interface. ICMP6 Outbound." > block out quick log inet proto icmp from self to any > label "Rule:$nr on $if interface. ICMP Outbound." > block out quick log inet6 proto icmp6 from self to any > label "Rule:$nr on $if interface. ICMP6 Outbound." > > # ---=== ICMP Inbound Rules ===--- > pass in quick log inet proto icmp from any to self icmp-type 8 code 0 > keep state label "Rule:$nr on $if interface. ICMP Inbound." > block in quick log inet proto icmp from any to self > label "Rule:$nr on $if interface. ICMP Inbound." > block in quick log inet6 proto icmp6 from any to self > label "Rule:$nr on $if interface. ICMP6 Inbound." > > # ---=== Block Reverse Path Verify Fail ===--- > block in quick log inet from urpf-failed label "Rule:$nr on $if > interface. Block reverse patch verify failures." > block in quick log inet6 from urpf-failed label "Rule:$nr on $if > interface. Block reverse patch verify failures." > block in quick log inet from no-route to any label "Rule:$nr on $if > interface. Block non routable traffic." > block in quick log inet6 from no-route to any label "Rule:$nr on $if > interface. Block non routable traffic." > > # ---=== Cleanup Rules ===--- > block in quick log inet6 from any label "Rule:$nr on $if interface - Cleanup > IPv6 *in* Rule." > block in quick log inet6 to any label "Rule:$nr on $if interface - Cleanup > IPv6 *in* Rule." > block out quick log inet6 from any label "Rule:$nr on $if interface - Cleanup > IPv6 *out* Rule." > block out quick log inet6 to any label "Rule:$nr on $if interface - Cleanup > IPv6 *out* Rule." > block in quick log inet from any label "Rule:$nr on $if interface - Cleanup > IPv4 *in* Rule." > block in quick log inet to any label "Rule:$nr on $if interface - Cleanup > IPv4 *in* Rule." > block out quick log inet from any label "Rule:$nr on $if interface - Cleanup > IPv4 *out* Rule." > block out quick log inet to any label "Rule:$nr on $if interface - Cleanup > IPv4 *out* Rule." > block quick log all label "Rule:$nr on $if interface - Last > match Cleanup Rule." > block log label "Rule:$nr on $if interface - > Stateless Cleanup Rule." > --
