OpenBSD 4.1: pf is not blocking anything

[Marcos Laufer]

Hello,

I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine

Any ideas?
Thanks in advance,

Marcos


-------
#
set skip on lo
scrub in
icmp_nets="{ 10.10.10.0/24 }"

block all

# good guys
table <goodhosts> persist
pass in quick on egress from <goodhosts> to any keep state

# blackhole
table <badhosts> persist
block in quick log on egress from <badhosts> to any

# no ipv6
block in quick inet6 all


######
# outgoing

# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port domain
flags S/SA keep state

# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp, www, https }
flags S/SA keep state

# ntp
ntp_servers="{ 10.10.10.4 }"
pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep
state

# ssh
ssh_friends="{ 10.10.10.0/24 }"
pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags
S/SA keep state


# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep
state

######
# incoming

# private
friends="{ 10.10.10.0/24 }"
friends_srvs="{ ftp, ftp-data, ssh }"
pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs
flags S/SA keep state

# MySQL y PgSQL
sql_www_apps_srv="{ 10.10.10.0/24 }"
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state

# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state

----