Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine
Any ideas? Thanks in advance, Marcos ------- # set skip on lo scrub in icmp_nets="{ 10.10.10.0/24 }" block all # good guys table <goodhosts> persist pass in quick on egress from <goodhosts> to any keep state # blackhole table <badhosts> persist block in quick log on egress from <badhosts> to any # no ipv6 block in quick inet6 all ###### # outgoing # dns pass out on egress proto { tcp, udp } from (self)/32 to any port domain flags S/SA keep state # smtp, http , https pass out on egress proto tcp from (self)/32 to any port { smtp, www, https } flags S/SA keep state # ntp ntp_servers="{ 10.10.10.4 }" pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep state # ssh ssh_friends="{ 10.10.10.0/24 }" pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags S/SA keep state # mysql pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep state ###### # incoming # private friends="{ 10.10.10.0/24 }" friends_srvs="{ ftp, ftp-data, ssh }" pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs flags S/SA keep state # MySQL y PgSQL sql_www_apps_srv="{ 10.10.10.0/24 }" pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306, 5432 } flags S/SA keep state # icmp pass in quick proto icmp from $icmp_nets to self/32 keep state ----