Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return # block stateless traffic
block inet6
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }
and what I expect is the following:
- traffic ipv4 and ipv6 gets blocked -> general deny
- I let enter ssh traffic
- I let enter https traffic
- I let out treffic on https und submission port
- I should not be able to establish a ssh connection from this host to
another machine but should connect to be able to connect to this
machine
what I notice is I can initiate a ssh connection from this machine. So
there are three possible answers to this:
- 1st with allowing ssh traffic in the first place ssh port will be
considered passable from both sites of the nic. Which would somehow
makes no sense to me at all because its a explicit in rule
- 2nd the ssh connection initiated is somehow considered coming fom lo
and for that not passed to the following rules
- 3rd my rules are just wrong :)
So for all the more skilled human beings out there can you help me with it?
regards
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
