Re: pf.conf - block in all - seems to be ignored

Sun, 06 Apr 2014 01:55:27 -0700 

Hi Alex,

here is the output:

anchor "ftp-proxy/*" all
pass in quick on vlan2 inet proto tcp from any to any port = 21 flags S/SA keep state (if-bound) divert-to 127.0.0.1 port 8021 
anchor "vm-host-management" all
anchor "hw-management" all
anchor "heliopolis.lab" all
anchor "heliopolis.net" all
anchor "helioplis.dmz" all
anchor "heliopolis.wlan" all
match out on em2 inet from <__automatic_a0bf736a_0> to any nat-to (em2) round-robin 
block drop in log quick on ! em2 inet from <public-net> to any
block drop in log quick inet from <public-ip> to any
block drop in log quick on em2 inet6 from fe80::200:24ff:fece:97c2 to any
block drop in all
pass all flags S/SA keep state (if-bound)
pass inet proto icmp all keep state (if-bound)
block drop on em2 inet6 all
block drop on tun0 inet6 all
block drop log quick on em2 from <rouge-hosts> to any
block drop log quick on em2 from <private-rfc1918> to any
pass in quick on athn0 all flags S/SA keep state (if-bound)
pass out quick on athn0 all flags S/SA keep state (if-bound)
pass on vlan6 inet from 192.168.6.0/24 to ! <private-rfc1918> flags S/SA keep state (if-bound) pass quick on vlan6 inet from any to 224.0.0.0/4 flags S/SA keep state (if-bound) allow-opts pass in on vlan4 inet proto icmp all icmp-type echoreq code 0 set ( queue q_pri ) keep state (if-bound) pass in on vlan4 inet from 192.168.4.0/24 to any flags S/SA keep state (if-bound) 
pass on em2 inet proto icmp all set ( queue q_pri ) keep state (if-bound)
pass on em2 inet proto tcp from (em2) to any flags S/FSRA set ( queue q_pri ) modulate state (if-bound) pass in quick on em2 inet proto tcp from any to any port = 21 flags S/FSRA set ( queue q_sgdef ) keep state (if-bound) label "ServicesTCP" pass in quick on em2 inet proto tcp from any to any port = 113 flags S/FSRA set ( queue q_sgdef ) keep state (if-bound) label "ServicesTCP" 
block drop in log quick from <block-ssh-scanners> to any
pass on em2 inet proto tcp from ! <block-ssh-scanners> to (em2) port = 8022 flags S/FSRA set ( queue q_ssh ) keep state (source-track rule, max-src-conn-rate 3/30, overload <block-ssh-scanners> flush global, if-bound, src.track 30) pass on em2 proto tcp from (em2) to any port = 80 flags S/SA set ( queue q_http ) keep state (if-bound) pass on em2 proto tcp from (em2) to any port = 443 flags S/SA set ( queue q_http ) keep state (if-bound) pass on em2 proto tcp from any to any port = 8022 flags S/SA set ( queue q_ssh ) keep state (if-bound) pass on vlan2 inet proto tcp from 192.168.2.240 to any port > 10000 flags S/SA modulate state (if-bound) tag TORRENT pass on vlan2 inet proto udp from 192.168.2.240 to any port > 10000 keep state (if-bound) tag TORRENT pass on em2 proto tcp from (em2) to any flags S/SA set ( queue q_tor ) modulate state (if-bound) tagged TORRENT pass on em2 proto udp from (em2) to any set ( queue q_tor ) keep state (if-bound) tagged TORRENT pass in on em2 inet proto tcp from any to 192.168.2.240 port 6881:6999 flags S/SA set ( queue q_tor ) synproxy state (max 50000, source-track rule, max-src-conn 100000, max-src-nodes 100000, if-bound, tcp.established 50000, adaptive.start 30000, adaptive.end 60000) pass in on em2 inet proto udp from any to 192.168.2.240 port = 4444 set ( queue q_tor ) keep state (max 50000, source-track rule, max-src-conn 100000, max-src-nodes 100000, if-bound, tcp.established 50000, adaptive.start 30000, adaptive.end 60000) pass in inet from 192.168.44.0/24 to 192.168.2.0/24 flags S/SA modulate state (if-bound) pass in inet from 192.168.44.0/24 to ! <private-rfc1918> flags S/SA modulate state (if-bound) pass in inet from 192.168.2.0/24 to ! 192.168.55.0/24 flags S/SA modulate state (if-bound) pass in inet from 192.168.2.0/24 to 192.168.15.0/24 flags S/SA modulate state (if-bound) pass in on vlan15 inet proto icmp all icmp-type echoreq code 0 set ( queue q_pri ) keep state (if-bound) pass in inet from 192.168.15.0/24 to ! <private-rfc1918> flags S/SA modulate state (if-bound) pass in inet from 192.168.2.0/24 to 192.168.22.0/24 flags S/SA modulate state (if-bound) pass in on vlan22 inet proto icmp all icmp-type echoreq code 0 set ( queue q_pri ) keep state (if-bound) pass in inet from 192.168.22.0/24 to ! <private-rfc1918> flags S/SA modulate state (if-bound) pass in inet from 192.168.2.0/24 to 192.168.25.0/24 flags S/SA modulate state (if-bound) pass in on vlan25 inet proto icmp all icmp-type echoreq code 0 set ( queue q_pri ) keep state (if-bound) pass in inet from 192.168.55.0/24 to 192.168.55.1 flags S/SA modulate state (if-bound) pass in inet from 192.168.55.0/24 to ! <private-rfc1918> flags S/SA modulate state (if-bound) pass in inet from 192.168.25.0/24 to ! <private-rfc1918> flags S/SA modulate state (if-bound) pass in inet from 192.168.2.0/24 to 192.168.55.0/24 flags S/SA modulate state (if-bound) pass in inet from 192.168.11.0/24 to 192.168.11.1 flags S/SA modulate state (if-bound) 

Bye
Mario

On 06.04.2014 02:29, [email protected] wrote:

On Sat, Apr 05, 2014 at 04:53:26PM +0200, Mario Kothe wrote:
<..>

This rule seems to have no effect. A scan from remote shows port 53

<..>

Hi Mario,

Can you show the output of "pfctl -s rules"?

Regards,
Alex

Reply via email to