On 2025-11-10, dirk coetzee <[email protected]> wrote: > Hi All, > > I am seeing ssh authentication attempts on my lo0 interface (127.0.0.1). I > have antispoofing configured. Unfortunately due to unchangeable > circumstances, SSH (TCP/50022) is exposed.
I don't see any nat rules, so you either have something relaying TCP traffic to port 50022 (e.g. relayd "forward to" running as a simple relay), or something on the machine itself is ssh'ing to [email protected]. > set block-policy drop > set syncookies adaptive (start 33%, end 12%) > set reassemble yes no-df > set ruleset-optimization none > set optimization aggressive > set limit { states 20000, frags 20000, src-nodes 5000, table-entries 2000000 } > match in all scrub (no-df random-id max-mss 1440) > > # ---=== Macros ===--- > ports_dns = "{ 53, 853 }" > icmp_useful = "{ echoreq, unreach, timex, timereq }" > icmp6_useful = "{ echoreq, unreach, timex, routersol, neighbrsol, > routeradv, neighbradv }" > ip_ext1 = "{ vio0:0 }" > > # ---=== Tables ===--- > table <bruteforce> persist > table <sshguard> persist > table <sshd_block> persist file "/etc/pf.files/table_sshd_block.txt" > table <script1_block> persist file "/etc/pf.files/script1_block.txt" > table <geoblock> persist file "/etc/pf.files/zones/pf.geoblock.master" > table <githubblkdips> persist file "/etc/pf.files/github_blkd_ips.txt" > table <martians> persist file "/etc/pf.files/martians.txt" > table <snortips> persist file "/etc/pf.files/snortips.txt" > table <wwlogpf> persist file "/etc/pf.files/wwwintrusions.txt" > > # ---=== Block: IPv6 rules ===--- > block in quick log on egress inet6 from any to self label "Rule:$nr on > $if. Block IPv6 Inbound." > block out quick log on egress inet6 from self to any label "Rule:$nr on > $if. Block IPv6 Outbound." > > # ---=== AntiSpoof rules ===-- > antispoof log quick for { lo0, vio0, wg0, tun0 } label "Rule:$nr $if $proto > $dstaddr $dstport. Antispoof rule." > block quick log on lo0 inet proto tcp from any to self port { > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF > Failure." > block quick log on lo0 inet proto udp from any to self port 51820 > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log on lo0 inet6 proto tcp from any to self port { > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF > Failure." > block quick log on lo0 inet6 proto udp from any to self port 51820 > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log from urpf-failed label > "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure." > block quick log inet proto tcp from any port <1024 to self port > {80,443,50022} label "Rule:$nr $if $proto $dstaddr $dstport. Reflection > Attack" > block quick log inet proto udp from any port <1024 to self port > 51820 label "Rule:$nr $if $proto $dstaddr $dstport. Reflection > Attack" > > # ---=== Block: Martians ===--- > block in quick log on egress inet from <martians> to self > label "Rule:$nr on $if. Block Martians Inbound." > block out quick log on egress inet from self to <martians> > label "Rule:$nr on $if. Block Martians Outbound." > > # ---=== Default OpenBSD Rules ===--- > block return in on ! lo0 proto tcp to port 6000:6010 label "Rule:$nr on $if. > Default OpenBSD rule - X11" > block return out log proto {tcp udp} user _pbuild label "Rule:$nr on $if. > Default OpenBSD rule - pbuild" > > # ---=== Block: SSH Guard ===--- > block in quick log on egress from <sshguard> to self label > "Rule:$nr on $if. SSH Guard Inbound." > block out quick log on egress from self to <sshguard> label > "Rule:$nr on $if. SSH Guard Outbound." > block in quick log on egress from <sshd_block> to self label > "Rule:$nr on $if. SSH Block Script Inbound." > block out quick log on egress from self to <sshd_block> label > "Rule:$nr on $if. SSH Block Script Outbound." > > # ---=== Geo Fencing ===--- > block in quick log from <geoblock> to self label > "Rule:$nr on $if. GeoBlock Inbound." > block return out quick log from self to <geoblock> label > "Rule:$nr on $if. GeoBlock Outbound." > > # ---=== Block: Snort Intrusion Prevention ===--- > block in quick log on egress from <snortips> to self label > "Rule:$nr on $if. Snort IPS Block Inbound." > block out quick log on egress from self to <snortips> label > "Rule:$nr on $if. Snort IPS Block Outbound." > > # ---=== Block: WWW log file parsed offenders ===--- > block in quick log on egress from <wwlogpf> to self label > "Rule:$nr on $if. WWW offenders Inbound." > block out quick log on egress from self to <wwlogpf> label > "Rule:$nr on $if. WWW offenders Outbound." > > # ---=== Block: Scripted Block Lists ===--- > block in quick log on egress from <script1_block> to self label > "Rule:$nr on $if. Bad IPs Block List Inbound." > block out quick log on egress from self to <script1_block> label > "Rule:$nr on $if. Bad IPs Block List Outbound." > block in quick log on egress from <githubblkdips> to self label > "Rule:$nr on $if. GitHub Repo Banned IPs Inbound." > block out quick log on egress from self to <githubblkdips> label > "Rule:$nr on $if. GitHub Repo Banned IPs Outbound." > > # ---=== Block: Bruteforce Protection ===--- > block in quick log on egress from <bruteforce> to self label > "Rule:$nr on $if. Bruteforcers Inbound." > block out quick log on egress from self to <bruteforce> label > "Rule:$nr on $if. Bruteforcers Outbound." > > # ---=== Inbound Access: SSH Allow and Source Track ===--- > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 50022 flags S/SA synproxy state (source-track rule, max-src-conn 3, > max-src-conn-rate 3/10, overload <bruteforce> flush global, src.track 600) > label "Rule:$nr on $if interface. Inbound SSH." > > # ---=== Inbound Access: HTTP/S ===--- > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 80 flags S/SA synproxy state (source-track rule, max-src-conn 64, > max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600) > label "Rule:$nr on $if interface Inbound HTTP." > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1 > port = 443 flags S/SA synproxy state (source-track rule, max-src-conn 64, > max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600) > label "Rule:$nr on $if interface Inbound HTTPS." > > # ---=== Inbound Access: Wireguard ===--- > pass in quick log on egress inet proto udp from any port >1023 to > $ip_ext1 port = 51820 keep state (source-track rule, max-src-conn 30, > overload <bruteforce> flush global, src.track 3600) label "Rule:$nr on $if > interface. Inbound Wireguard VPN." > pass in quick log on wg0 inet proto tcp from wg0:network port >1023 to > wg0:0 port = 50022 label "Rule:$nr on $if interface. Inbound WG SSH." > pass in quick log on wg0 inet proto icmp from wg0:network to > $ip_ext1 label "Rule:$nr on $if interface. Inbound WG ICMP." > block in quick log on egress inet proto udp from any to > self port = 51820 label "Rule:$nr on $if interface. Inbound Wireguard VPN." > > # ---=== User Oubound Rules: dhcp ===--- > pass out quick log inet proto udp from self port {67,68} > to 255.255.255.255 port {67,68} user _dhcp label "$nr: Allow DHCP service on > ports 67 68" > block out quick log inet proto {tcp udp} from self > to any group _dhcp label "$nr: Block DHCP service" > > # ---=== Outbound Access: NTP ===--- > pass out quick log inet proto udp from self port >1023 to any port 123 user > _ntp set tos ef label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet6 proto udp from self port >1023 to any port 123 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet proto tcp from self port >1023 to any port 443 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > pass out quick log inet6 proto tcp from self port >1023 to any port 443 user > _ntp label "Rule:$nr on $if interface. NTP Outbound." > block out quick log inet proto { tcp udp } from self group _ntp > label "Rule:$nr on $if interface. Block NTP Out." > block out quick log inet6 proto { tcp udp } from self group _ntp > label "Rule:$nr on $if interface. Block NTP Out." > > # ---=== Outbound Access: UnWind ===--- > pass out quick log inet proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv4" > pass out quick log inet6 proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv6" > pass out quick log inet proto tcp from self to any port 443 > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check" > pass out quick log inet6 proto tcp from self to any port 443 > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check" > block out quick log inet proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Block any service DNS Out4" > block out quick log inet6 proto { tcp udp } from self to any port $ports_dns > group _unwind label "Rule:$nr on $if interface. Block any service DNS Out6" > block out quick log inet proto { tcp udp } from self > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule," > block out quick log inet6 proto { tcp udp } from self > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule," > > # ---=== Outbound Access: DHCPD ===--- > pass out quick log inet proto { tcp udp } from self to any port 67:68 group > _dhcp label "Rule:$nr on $if interface. DHCPD." > pass out quick log inet6 proto { tcp udp } from self to any port 67:68 group > _dhcp label "Rule:$nr on $if interface. DHCPD." > block out quick log inet proto { tcp udp } from self group > _dhcp label "Rule:$nr on $if interface. DHCPD." > block out quick log inet6 proto { tcp udp } from self group > _dhcp label "Rule:$nr on $if interface. DHCPD." > > # ---=== Outbound Access: from pkgfetch ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound" > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound" > block out quick log inet proto { tcp udp } from self to any group _pkgfetch > label "Rule:$nr on $if interface. Block Pkg." > block out quick log inet6 proto { tcp udp } from self to any group _pkgfetch > label "Rule:$nr on $if interface. Block Pkg." > > # ---=== Outbound Access: from syspatch ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound." > block out quick log inet proto { tcp udp } from self to any group _syspatch > label "Rule:$nr on $if interface. Block Syspatch" > block out quick log inet6 proto { tcp udp } from self to any group _syspatch > label "Rule:$nr on $if interface. Block Syspatch" > > # ---=== Outbound Access: from freshclam ===--- > ## pass out quick log inet proto { tcp } from self port >1023 to any port > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out." > ## pass out quick log inet6 proto { tcp } from self port >1023 to any port > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out." > block out quick log inet proto { tcp udp } from self to any group _clamav > label "Rule:$nr on $if interface. Block Freshclam." > block out quick log inet6 proto { tcp udp } from self to any group _clamav > label "Rule:$nr on $if interface. Block Freshclam." > > # ---=== Outbound Access: from root ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 80 > user root label "Rule:$nr on $if interface. Root HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80 > user root label "Rule:$nr on $if interface. Root HTTP Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user root label "Rule:$nr on $if interface. Root HTTPS Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user root label "Rule:$nr on $if interface. Root HTTPS Out." > block out quick log inet proto { tcp udp } from self to any user root > label "Rule:$nr on $if interface. Block root out." > block out quick log inet6 proto { tcp udp } from self to any user root > label "Rule:$nr on $if interface. Block root out." > block out quick log inet proto { tcp udp } from self to any group wheel > label "Rule:$nr on $if interface. Block wheel out." > block out quick log inet6 proto { tcp udp } from self to any group wheel > label "Rule:$nr on $if interface. Block wheel out." > > # ---=== Outbound Access: from dirk ===--- > pass out quick log inet proto { tcp } from self port >1023 to any port 22 > user dirk label "Rule:$nr on $if interface. Dirk SSH Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 22 > user dirk label "Rule:$nr on $if interface. Dirk SSH Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 43 > user dirk label "Rule:$nr on $if interface. Dirk Whois Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 43 > user dirk label "Rule:$nr on $if interface. Dirk Whois Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 80 > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80 > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out." > pass out quick log inet proto { tcp } from self port >1023 to any port 443 > user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out." > pass out quick log inet6 proto { tcp } from self port >1023 to any port 443 > user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out." > block out quick log inet proto { tcp udp } from self to any group dirk label > "Rule:$nr on $if interface. Block Dirk." > block out quick log inet6 proto { tcp udp } from self to any group dirk label > "Rule:$nr on $if interface. Block Dirk." > > # ---=== ICMP Outbound Rules ===--- > pass out quick log inet proto icmp from self to any icmp-type > $icmp_useful label "Rule:$nr on $if interface. ICMP Outbound." > pass out quick log inet6 proto icmp6 from self to any icmp6-type > $icmp6_useful label "Rule:$nr on $if interface. ICMP6 Outbound." > block out quick log inet proto icmp from self to any > label "Rule:$nr on $if interface. ICMP Outbound." > block out quick log inet6 proto icmp6 from self to any > label "Rule:$nr on $if interface. ICMP6 Outbound." > > # ---=== ICMP Inbound Rules ===--- > pass in quick log inet proto icmp from any to self icmp-type 8 code 0 > keep state label "Rule:$nr on $if interface. ICMP Inbound." > block in quick log inet proto icmp from any to self > label "Rule:$nr on $if interface. ICMP Inbound." > block in quick log inet6 proto icmp6 from any to self > label "Rule:$nr on $if interface. ICMP6 Inbound." > > # ---=== Block Reverse Path Verify Fail ===--- > block in quick log inet from urpf-failed label "Rule:$nr on $if > interface. Block reverse patch verify failures." > block in quick log inet6 from urpf-failed label "Rule:$nr on $if > interface. Block reverse patch verify failures." > block in quick log inet from no-route to any label "Rule:$nr on $if > interface. Block non routable traffic." > block in quick log inet6 from no-route to any label "Rule:$nr on $if > interface. Block non routable traffic." > > # ---=== Cleanup Rules ===--- > block in quick log inet6 from any label "Rule:$nr on $if interface - Cleanup > IPv6 *in* Rule." > block in quick log inet6 to any label "Rule:$nr on $if interface - Cleanup > IPv6 *in* Rule." > block out quick log inet6 from any label "Rule:$nr on $if interface - Cleanup > IPv6 *out* Rule." > block out quick log inet6 to any label "Rule:$nr on $if interface - Cleanup > IPv6 *out* Rule." > block in quick log inet from any label "Rule:$nr on $if interface - Cleanup > IPv4 *in* Rule." > block in quick log inet to any label "Rule:$nr on $if interface - Cleanup > IPv4 *in* Rule." > block out quick log inet from any label "Rule:$nr on $if interface - Cleanup > IPv4 *out* Rule." > block out quick log inet to any label "Rule:$nr on $if interface - Cleanup > IPv4 *out* Rule." > block quick log all label "Rule:$nr on $if interface - Last > match Cleanup Rule." > block log label "Rule:$nr on $if interface - > Stateless Cleanup Rule." > > this is really complicated and hard to read and understand. most people don't need such complexity. -- Please keep replies on the mailing list.
