Re: pf rules






# pfctl -s rules
scrub in all fragment reassemble
block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any
block drop in inet from xxx.xxx.xxx.xxx to any
block drop in all
pass out all flags S/SA keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = ntp keep state
pass inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = http flags S/FSA synproxy state
pass in inet proto tcp from any to any port = https flags S/FSA synproxy state
pass proto tcp from any to any port = ssh flags S/SA keep state




Rémi LAURENT wrote:
Hi,

Maybe you can give us the result of a pfctl -s rules because i don't see
how you can have this connection.
hi all...

doing testing with pf...

how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25

i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......


pf.conf contetns:

tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"

set skip on lo
scrub in

antispoof for eth0 inet

block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh



thanks....



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"freebsd-security-unsubscribe@xxxxxxxxxxx"



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: IPSEC & PF - Please help
    ... inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 ... block drop in log quick on sis0 inet proto udp from any to ... pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep ... block drop in log quick on tun0 inet proto udp from any to ...
    (freebsd-net)
  • Re: IPSEC & PF - Please help
    ... inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 ... block drop in log quick on sis0 inet proto udp from any to ... pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep ... block drop in log quick on tun0 inet proto udp from any to ...
    (freebsd-net)
  • IPSEC with PF - Please help.
    ... inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 ... block drop in log quick on sis0 inet proto udp from any to 255.255.255.255 ... pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep state ...
    (comp.unix.bsd.freebsd.misc)
  • Re: pf rules
    ... pass proto udp to any port $udp ... pass inet proto icmp all icmp-type $ping keep state ... pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state ...
    (freebsd-questions)
  • Re: pf rules
    ... pass proto udp to any port $udp ... pass inet proto icmp all icmp-type $ping keep state ... pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state ...
    (freebsd-questions)