Re: pf rules






# pfctl -s rules
scrub in all fragment reassemble
block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any
block drop in inet from xxx.xxx.xxx.xxx to any
block drop in all
pass out all flags S/SA keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = ntp keep state
pass inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = http flags S/FSA synproxy state
pass in inet proto tcp from any to any port = https flags S/FSA synproxy state
pass proto tcp from any to any port = ssh flags S/SA keep state




Rémi LAURENT wrote:
Hi,

Maybe you can give us the result of a pfctl -s rules because i don't see
how you can have this connection.
hi all...

doing testing with pf...

how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25

i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......


pf.conf contetns:

tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"

set skip on lo
scrub in

antispoof for eth0 inet

block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh



thanks....



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"freebsd-security-unsubscribe@xxxxxxxxxxx"



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"