Re: newbie help with PF. block all, then allowing port 22 doesnt work.

Thu, 22 Apr 2010 09:15:41 -0700 

Hello,

Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = "fxp0"


This is the result for pfctl -sr:

match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
domain keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
flags S/SA keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
flags S/SA modulate state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
flags S/SA modulate state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type unreach keep state



As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
cannot SSH in from the outside.

Where am I blocking port SSH in? :(

Andres


On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet <dan...@presscom.net> wrote:
>>       ## Traffic IN
>>       pass in log quick on $t_externa inet proto { tcp, udp } from any
>> to ($t_externa) \
>>          port { 22  8080 } keep state
>
> In your pf configuration it doesn't show where you actually define the
macro
> for your interface $t_externa.
>
> Are you sure the rules you run are what you think they are.
>
> Did it load properly and may be you want to check the rules as active with
>
> pfctl -sr
>
> And check that display. I think you may find what you are looking for.
>
> Compare your pf.conf with what you actually see in pfctl -sr and you will
> work your issue out.
>
> Best,
>
> Daniel

Reply via email to