(please see my in-line comments) On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <kgo...@gmail.com> wrote: > is it this? >># redirect external ssh traffic from ????? >>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >> rdr-to 127.0.0.1 port 22 > to me, that rule looks like it will accept any inbound traffic on the > external interface and redirect it to 127.0.0.1:22. but I don't know what > the question marks do; I've never seen them used in a pf rule before. my > guess is, if pf accepts them at all, it treats them as a wildcard. > -ken
The ????? marks are just replacements for the actual port number. This rule should forward outside traffic from port ????? to the SSH server but I think you are probably on the right track. I really don't understand the new rdr-to and match nat-to rules as well as the older pre 4.6 syntax. However, if I comment that rule out, an nmap still shows a bunch open ports. If I try manually connecting to one of the ports that are listed as open by nmap I get a "Could not open connection to the host, on port 7800: Connect failed". Is it possible that nmap is just full of crap? > On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <woolsherpa...@gmail.com> > wrote: >> >> Hello @misc! >> >> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release). >> However, I get some strange results if I run a nmap scan on it from >> work. I get hundreds of ports listed as open. Now it's likely that I >> have mis-configured my firewall but I can' see exactly where. >> Hopefully someone here on @misc can hit me with the clue stick. >> >> $ext_if (sis0) is my external facing interface. $int_if and $apple_if >> (sis1 and sis2, respectively) are my internal subnets. The Soekris is >> obviously doing NAT for all my internal subnets -- NAT works, as does >> the restrictions on sis1 and sis2 from being able to send traffic to >> sis0's subnet. Now unless I am terribly mistaken the 'block in log' >> should by default block any inbound packets on any interface unless >> there is a subsequent rule that matches that packet as the packet will >> do whatever the last matching rule told it too. So all inbound traffic >> will either A) be blocked or B) match an "exception" later on in the >> ruleset right? So how come a scan from the "outside", reveals hundreds >> of unfiltered ports? >> >> Advice would be much welcome. >> Thank you! >> >> >> >> /etc/pf.conf: >> >> # macros >> ext_if="sis0" >> int_if="sis1" >> apple_if="sis2" >> wifi_if="ral0" >> >> table <bogons> persist file "/etc/bogon-bn-agg.txt" >> >> # options >> set require-order yes >> set block-policy drop >> set optimization normal >> set skip on lo0 >> >> >> >> # flag packets from all internal interfaces for NAT >> match out on $ext_if inet from !($ext_if:network) to any nat-to >> ($ext_if:0) >> >> # policy: default deny on all inbound traffic on all interfaces >> block in log >> >> # immediately pass out traffic on external interface, modulate state to >> make >> # ISNs (initial sequence numbers) harder to guess >> pass out quick on $ext_if proto tcp modulate state >> >> # policy: default allow on all outbound traffic on all interfaces >> pass out >> >> # antispoofing for internal interfaces >> antispoof quick for { $int_if $apple_if $wifi_if } >> >> # ingress/egress bogon filtering >> block in quick log on $ext_if from <bogons> >> block out quick log on $ext_if from <bogons> >> >> # allow internal traffic in, except from untrusted --> trusted >> pass in on $int_if from $int_if:network >> pass in on $apple_if from $apple_if:network to !$int_if:network >> pass in on $wifi_if from $wifi_if:network to !$int_if:network >> >> # allow ssh traffic on trusted interface >> pass in log on $int_if inet proto tcp from $int_if:network to $int_if port >> 22 >> >> # redirect external ssh traffic from ????? >> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >> rdr-to 127.0.0.1 port 22