On Mon, Nov 10, 2025 at 10:34:07AM +0000, dirk coetzee wrote:
> Good point. Thank you. I have removed set skip lo0
>
> Why did the antispoof not work for vio0?
This is the first time you mention vio0.
Note that connections from and to local interfaces will pass through
lo0. Let's assume that vio0's address is 192.168.1.10. If you listen
on port 12345 on that interface
nc -l 192.168.1.10 12345
and then, on a different terminal send data to that port
date | nc 192.168.1.10 12345
You will see traffic going though lo0 but not through vio0, even if
their source and destination IPs are vio0's address:
# tcpdump -nti lo0
192.168.1.10.26934 > 192.168.1.10.12345: S 1721760598:1721760598(0) win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 4052130287 0> (DF)
192.168.1.10.12345 > 192.168.1.10.26934: S 880890965:880890965(0) ack
1721760599 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp
3744894978 4052130287> (DF)
192.168.1.10.26934 > 192.168.1.10.12345: . ack 1 win 256 <nop,nop,timestamp
4052130287 3744894978> (DF)
192.168.1.10.26934 > 192.168.1.10.12345: P 1:30(29) ack 1 win 256
<nop,nop,timestamp 4052130287 3744894978> (DF)
192.168.1.10.12345 > 192.168.1.10.26934: . ack 30 win 271
<nop,nop,timestamp 3744894978 4052130287> (DF)
192.168.1.10.12345 > 192.168.1.10.26934: P 1:2(1) ack 30 win 271
<nop,nop,timestamp 3744894978 4052130287> (DF)
192.168.1.10.26934 > 192.168.1.10.12345: . ack 2 win 255 <nop,nop,timestamp
4052130287 3744894978> (DF)
This holds true even if the source address comes from a different local
interface. I.e., if you had vio1 with address 192.168.2.2, and did
date | nc -s 192.168.2.2 192.168.1.10 12345
traffic would still go through lo0.
So, in summary, if you want to filter *local* connections to daemons,
you need to filter them on lo0. Since your ssh connection attempts come
from the host that is running sshd, they go through lo0 (which you were
not filtering on, due to "set skip on lo").
> On Monday 10 November 2025 at 06:27:59 pm AWST, Zé Loff <[email protected]>
> wrote:
>
>
>
>
>
> On Mon, Nov 10, 2025 at 09:42:57AM +0000, dirk coetzee wrote:
> > Hi All,
> >
> > I am seeing ssh authentication attempts on my lo0 interface (127.0.0.1). I
> > have antispoofing configured. Unfortunately due to unchangeable
> > circumstances, SSH (TCP/50022) is exposed.
> >
> > Any idea if my antispoofing configuration is incorrect? Or any other
> > suggestions to mitigate SSH connections from lo0?
> >
> > Please note - SSH is configured to listen on TCP/50022. Not TCP/5273, so i
> > have no idea how or why SSH is responding on TCP/5273.
>
> sshd isn't responding on port 5273, that's the source port. I.e., the
> connection is coming from a client running on the host itself.
>
> Also, you have "set skip on lo" at the top of your ruleset, so your not
> doing any (pf) filtering on loopback interfaces. All your "pass/block
> on lo0" rules are useless.
>
> >
> >
> > Regards
> > dirk
> >
> >
> > ###############################################################################
> >
> > ### Logs ###
> > ### /var/log/authlog ###
> > Nov 3 21:27:46 server-1 sshd-session[46091]: Connection from 127.0.0.1
> > port 48186 on 127.0.0.1 port 50022 rdomain "0"
> > Nov 3 21:27:46 server-1 sshd-session[46091]: User root from 127.0.0.1 not
> > allowed because a group is listed in DenyGroups
> > Nov 3 21:27:48 server-1 sshd-session[46091]: Connection closed by invalid
> > user root 127.0.0.1 port 48186 [preauth]
> > Nov 3 21:27:48 server-1 sshd[30737]: srclimit_penalise: ipv4: new
> > 127.0.0.1/32 deferred penalty of 30 seconds for penalty: failed
> > authentication
> > Nov 3 21:33:19 server-1 sshd-session[42309]: Connection from 127.0.0.1
> > port 5273 on 127.0.0.1 port 50022 rdomain "0"
> > Nov 3 21:33:19 server-1 sshd-session[42309]: User root from 127.0.0.1 not
> > allowed because a group is listed in DenyGroups
> > Nov 3 21:33:23 server-1 sshd-session[42309]: Connection closed by invalid
> > user root 127.0.0.1 port 5273 [preauth]
> > Nov 3 21:33:23 server-1 sshd[30737]: srclimit_penalise: ipv4: new
> > 127.0.0.1/32 deferred penalty of 30 seconds for penalty: failed
> > authentication
> >
> > ###############################################################################
> >
> > ### /etc/pf.conf
> > # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> > #
> > # See pf.conf(5) and /etc/examples/pf.conf
> >
> > # ---=== Global Config ====----
> > set skip on lo
> > set block-policy drop
> > set syncookies adaptive (start 33%, end 12%)
> > set reassemble yes no-df
> > set ruleset-optimization none
> > set optimization aggressive
> > set limit { states 20000, frags 20000, src-nodes 5000, table-entries
> > 2000000 }
> > match in all scrub (no-df random-id max-mss 1440)
> >
> > # ---=== Macros ===---
> > ports_dns = "{ 53, 853 }"
> > icmp_useful = "{ echoreq, unreach, timex, timereq }"
> > icmp6_useful = "{ echoreq, unreach, timex, routersol, neighbrsol,
> > routeradv, neighbradv }"
> > ip_ext1 = "{ vio0:0 }"
> >
> > # ---=== Tables ===---
> > table <bruteforce> persist
> > table <sshguard> persist
> > table <sshd_block> persist file "/etc/pf.files/table_sshd_block.txt"
> > table <script1_block> persist file "/etc/pf.files/script1_block.txt"
> > table <geoblock> persist file "/etc/pf.files/zones/pf.geoblock.master"
> > table <githubblkdips> persist file "/etc/pf.files/github_blkd_ips.txt"
> > table <martians> persist file "/etc/pf.files/martians.txt"
> > table <snortips> persist file "/etc/pf.files/snortips.txt"
> > table <wwlogpf> persist file "/etc/pf.files/wwwintrusions.txt"
> >
> > # ---=== Block: IPv6 rules ===---
> > block in quick log on egress inet6 from any to self label "Rule:$nr on
> > $if. Block IPv6 Inbound."
> > block out quick log on egress inet6 from self to any label "Rule:$nr on
> > $if. Block IPv6 Outbound."
> >
> > # ---=== AntiSpoof rules ===--
> > antispoof log quick for { lo0, vio0, wg0, tun0 } label "Rule:$nr $if $proto
> > $dstaddr $dstport. Antispoof rule."
> > block quick log on lo0 inet proto tcp from any to self port {
> > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF
> > Failure."
> > block quick log on lo0 inet proto udp from any to self port 51820
> > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
> > block quick log on lo0 inet6 proto tcp from any to self port {
> > 22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF
> > Failure."
> > block quick log on lo0 inet6 proto udp from any to self port 51820
> > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
> > block quick log from urpf-failed
> > label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
> > block quick log inet proto tcp from any port <1024 to self port
> > {80,443,50022} label "Rule:$nr $if $proto $dstaddr $dstport. Reflection
> > Attack"
> > block quick log inet proto udp from any port <1024 to self port
> > 51820 label "Rule:$nr $if $proto $dstaddr $dstport. Reflection
> > Attack"
> >
> > # ---=== Block: Martians ===---
> > block in quick log on egress inet from <martians> to self
> > label "Rule:$nr on $if. Block Martians Inbound."
> > block out quick log on egress inet from self to <martians>
> > label "Rule:$nr on $if. Block Martians Outbound."
> >
> > # ---=== Default OpenBSD Rules ===---
> > block return in on ! lo0 proto tcp to port 6000:6010 label "Rule:$nr on
> > $if. Default OpenBSD rule - X11"
> > block return out log proto {tcp udp} user _pbuild label "Rule:$nr on
> > $if. Default OpenBSD rule - pbuild"
> >
> > # ---=== Block: SSH Guard ===---
> > block in quick log on egress from <sshguard> to self label
> > "Rule:$nr on $if. SSH Guard Inbound."
> > block out quick log on egress from self to <sshguard> label
> > "Rule:$nr on $if. SSH Guard Outbound."
> > block in quick log on egress from <sshd_block> to self label
> > "Rule:$nr on $if. SSH Block Script Inbound."
> > block out quick log on egress from self to <sshd_block> label
> > "Rule:$nr on $if. SSH Block Script Outbound."
> >
> > # ---=== Geo Fencing ===---
> > block in quick log from <geoblock> to self label
> > "Rule:$nr on $if. GeoBlock Inbound."
> > block return out quick log from self to <geoblock> label
> > "Rule:$nr on $if. GeoBlock Outbound."
> >
> > # ---=== Block: Snort Intrusion Prevention ===---
> > block in quick log on egress from <snortips> to self label
> > "Rule:$nr on $if. Snort IPS Block Inbound."
> > block out quick log on egress from self to <snortips> label
> > "Rule:$nr on $if. Snort IPS Block Outbound."
> >
> > # ---=== Block: WWW log file parsed offenders ===---
> > block in quick log on egress from <wwlogpf> to self label
> > "Rule:$nr on $if. WWW offenders Inbound."
> > block out quick log on egress from self to <wwlogpf> label
> > "Rule:$nr on $if. WWW offenders Outbound."
> >
> > # ---=== Block: Scripted Block Lists ===---
> > block in quick log on egress from <script1_block> to self label
> > "Rule:$nr on $if. Bad IPs Block List Inbound."
> > block out quick log on egress from self to <script1_block> label
> > "Rule:$nr on $if. Bad IPs Block List Outbound."
> > block in quick log on egress from <githubblkdips> to self label
> > "Rule:$nr on $if. GitHub Repo Banned IPs Inbound."
> > block out quick log on egress from self to <githubblkdips> label
> > "Rule:$nr on $if. GitHub Repo Banned IPs Outbound."
> >
> > # ---=== Block: Bruteforce Protection ===---
> > block in quick log on egress from <bruteforce> to self label
> > "Rule:$nr on $if. Bruteforcers Inbound."
> > block out quick log on egress from self to <bruteforce> label
> > "Rule:$nr on $if. Bruteforcers Outbound."
> >
> > # ---=== Inbound Access: SSH Allow and Source Track ===---
> > pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1
> > port = 50022 flags S/SA synproxy state (source-track rule, max-src-conn 3,
> > max-src-conn-rate 3/10, overload <bruteforce> flush global, src.track 600)
> > label "Rule:$nr on $if interface. Inbound SSH."
> >
> > # ---=== Inbound Access: HTTP/S ===---
> > pass in quick log on egress inet proto tcp from any port >1023 to
> > $ip_ext1 port = 80 flags S/SA synproxy state (source-track rule,
> > max-src-conn 64, max-src-conn-rate 64/300, overload <bruteforce> flush
> > global, src.track 3600) label "Rule:$nr on $if interface Inbound HTTP."
> > pass in quick log on egress inet proto tcp from any port >1023 to
> > $ip_ext1 port = 443 flags S/SA synproxy state (source-track rule,
> > max-src-conn 64, max-src-conn-rate 64/300, overload <bruteforce> flush
> > global, src.track 3600) label "Rule:$nr on $if interface Inbound HTTPS."
> >
> > # ---=== Inbound Access: Wireguard ===---
> > pass in quick log on egress inet proto udp from any port >1023 to
> > $ip_ext1 port = 51820 keep state (source-track rule, max-src-conn 30,
> > overload <bruteforce> flush global, src.track 3600) label "Rule:$nr on $if
> > interface. Inbound Wireguard VPN."
> > pass in quick log on wg0 inet proto tcp from wg0:network port >1023 to
> > wg0:0 port = 50022 label "Rule:$nr on $if interface. Inbound WG SSH."
> > pass in quick log on wg0 inet proto icmp from wg0:network to
> > $ip_ext1 label "Rule:$nr on $if interface. Inbound WG ICMP."
> > block in quick log on egress inet proto udp from any to
> > self port = 51820 label "Rule:$nr on $if interface. Inbound Wireguard VPN."
> >
> > # ---=== User Oubound Rules: dhcp ===---
> > pass out quick log inet proto udp from self port {67,68}
> > to 255.255.255.255 port {67,68} user _dhcp label "$nr: Allow DHCP
> > service on ports 67 68"
> > block out quick log inet proto {tcp udp} from self
> > to any group _dhcp label "$nr: Block DHCP
> > service"
> >
> > # ---=== Outbound Access: NTP ===---
> > pass out quick log inet proto udp from self port >1023 to any port 123
> > user _ntp set tos ef label "Rule:$nr on $if interface. NTP Outbound."
> > pass out quick log inet6 proto udp from self port >1023 to any port 123
> > user _ntp label "Rule:$nr on $if interface. NTP Outbound."
> > pass out quick log inet proto tcp from self port >1023 to any port 443
> > user _ntp label "Rule:$nr on $if interface. NTP Outbound."
> > pass out quick log inet6 proto tcp from self port >1023 to any port 443
> > user _ntp label "Rule:$nr on $if interface. NTP Outbound."
> > block out quick log inet proto { tcp udp } from self group _ntp
> > label "Rule:$nr on $if interface. Block NTP Out."
> > block out quick log inet6 proto { tcp udp } from self group _ntp
> > label "Rule:$nr on $if interface. Block NTP Out."
> >
> > # ---=== Outbound Access: UnWind ===---
> > pass out quick log inet proto { tcp udp } from self to any port
> > $ports_dns group _unwind label "Rule:$nr on $if interface. Unwind Outbound
> > ipv4"
> > pass out quick log inet6 proto { tcp udp } from self to any port
> > $ports_dns group _unwind label "Rule:$nr on $if interface. Unwind Outbound
> > ipv6"
> > pass out quick log inet proto tcp from self to any port 443
> > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check"
> > pass out quick log inet6 proto tcp from self to any port 443
> > group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check"
> > block out quick log inet proto { tcp udp } from self to any port
> > $ports_dns group _unwind label "Rule:$nr on $if interface. Block any
> > service DNS Out4"
> > block out quick log inet6 proto { tcp udp } from self to any port
> > $ports_dns group _unwind label "Rule:$nr on $if interface. Block any
> > service DNS Out6"
> > block out quick log inet proto { tcp udp } from self
> > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup
> > Rule,"
> > block out quick log inet6 proto { tcp udp } from self
> > group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup
> > Rule,"
> >
> > # ---=== Outbound Access: DHCPD ===---
> > pass out quick log inet proto { tcp udp } from self to any port 67:68
> > group _dhcp label "Rule:$nr on $if interface. DHCPD."
> > pass out quick log inet6 proto { tcp udp } from self to any port 67:68
> > group _dhcp label "Rule:$nr on $if interface. DHCPD."
> > block out quick log inet proto { tcp udp } from self
> > group _dhcp label "Rule:$nr on $if interface. DHCPD."
> > block out quick log inet6 proto { tcp udp } from self
> > group _dhcp label "Rule:$nr on $if interface. DHCPD."
> >
> > # ---=== Outbound Access: from pkgfetch ===---
> > pass out quick log inet proto { tcp } from self port >1023 to any port
> > 443 user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound"
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 443 user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound"
> > block out quick log inet proto { tcp udp } from self to any group
> > _pkgfetch label "Rule:$nr on $if interface. Block Pkg."
> > block out quick log inet6 proto { tcp udp } from self to any group
> > _pkgfetch label "Rule:$nr on $if interface. Block Pkg."
> >
> > # ---=== Outbound Access: from syspatch ===---
> > pass out quick log inet proto { tcp } from self port >1023 to any port
> > 443 user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 443 user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound."
> > block out quick log inet proto { tcp udp } from self to any group
> > _syspatch label "Rule:$nr on $if interface. Block Syspatch"
> > block out quick log inet6 proto { tcp udp } from self to any group
> > _syspatch label "Rule:$nr on $if interface. Block Syspatch"
> >
> > # ---=== Outbound Access: from freshclam ===---
> > ## pass out quick log inet proto { tcp } from self port >1023 to any port
> > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out."
> > ## pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 53 user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out."
> > pass out quick log inet proto { tcp } from self port >1023 to any port
> > 443 user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 443 user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out."
> > block out quick log inet proto { tcp udp } from self to any group _clamav
> > label "Rule:$nr on $if interface. Block Freshclam."
> > block out quick log inet6 proto { tcp udp } from self to any group _clamav
> > label "Rule:$nr on $if interface. Block Freshclam."
> >
> > # ---=== Outbound Access: from root ===---
> > pass out quick log inet proto { tcp } from self port >1023 to any port 80
> > user root label "Rule:$nr on $if interface. Root HTTP Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80
> > user root label "Rule:$nr on $if interface. Root HTTP Out."
> > pass out quick log inet proto { tcp } from self port >1023 to any port
> > 443 user root label "Rule:$nr on $if interface. Root HTTPS Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 443 user root label "Rule:$nr on $if interface. Root HTTPS Out."
> > block out quick log inet proto { tcp udp } from self to any user root
> > label "Rule:$nr on $if interface. Block root out."
> > block out quick log inet6 proto { tcp udp } from self to any user root
> > label "Rule:$nr on $if interface. Block root out."
> > block out quick log inet proto { tcp udp } from self to any group wheel
> > label "Rule:$nr on $if interface. Block wheel out."
> > block out quick log inet6 proto { tcp udp } from self to any group wheel
> > label "Rule:$nr on $if interface. Block wheel out."
> >
> > # ---=== Outbound Access: from dirk ===---
> > pass out quick log inet proto { tcp } from self port >1023 to any port 22
> > user dirk label "Rule:$nr on $if interface. Dirk SSH Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port 22
> > user dirk label "Rule:$nr on $if interface. Dirk SSH Out."
> > pass out quick log inet proto { tcp } from self port >1023 to any port 43
> > user dirk label "Rule:$nr on $if interface. Dirk Whois Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port 43
> > user dirk label "Rule:$nr on $if interface. Dirk Whois Out."
> > pass out quick log inet proto { tcp } from self port >1023 to any port 80
> > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port 80
> > user dirk label "Rule:$nr on $if interface. Dirk HTTP Out."
> > pass out quick log inet proto { tcp } from self port >1023 to any port
> > 443 user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out."
> > pass out quick log inet6 proto { tcp } from self port >1023 to any port
> > 443 user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out."
> > block out quick log inet proto { tcp udp } from self to any group dirk
> > label "Rule:$nr on $if interface. Block Dirk."
> > block out quick log inet6 proto { tcp udp } from self to any group dirk
> > label "Rule:$nr on $if interface. Block Dirk."
> >
> > # ---=== ICMP Outbound Rules ===---
> > pass out quick log inet proto icmp from self to any icmp-type
> > $icmp_useful label "Rule:$nr on $if interface. ICMP Outbound."
> > pass out quick log inet6 proto icmp6 from self to any icmp6-type
> > $icmp6_useful label "Rule:$nr on $if interface. ICMP6 Outbound."
> > block out quick log inet proto icmp from self to any
> > label "Rule:$nr on $if interface. ICMP Outbound."
> > block out quick log inet6 proto icmp6 from self to any
> > label "Rule:$nr on $if interface. ICMP6 Outbound."
> >
> > # ---=== ICMP Inbound Rules ===---
> > pass in quick log inet proto icmp from any to self icmp-type 8 code 0
> > keep state label "Rule:$nr on $if interface. ICMP Inbound."
> > block in quick log inet proto icmp from any to self
> > label "Rule:$nr on $if interface. ICMP Inbound."
> > block in quick log inet6 proto icmp6 from any to self
> > label "Rule:$nr on $if interface. ICMP6 Inbound."
> >
> > # ---=== Block Reverse Path Verify Fail ===---
> > block in quick log inet from urpf-failed label "Rule:$nr on $if
> > interface. Block reverse patch verify failures."
> > block in quick log inet6 from urpf-failed label "Rule:$nr on $if
> > interface. Block reverse patch verify failures."
> > block in quick log inet from no-route to any label "Rule:$nr on $if
> > interface. Block non routable traffic."
> > block in quick log inet6 from no-route to any label "Rule:$nr on $if
> > interface. Block non routable traffic."
> >
> > # ---=== Cleanup Rules ===---
> > block in quick log inet6 from any label "Rule:$nr on $if interface -
> > Cleanup IPv6 *in* Rule."
> > block in quick log inet6 to any label "Rule:$nr on $if interface -
> > Cleanup IPv6 *in* Rule."
> > block out quick log inet6 from any label "Rule:$nr on $if interface -
> > Cleanup IPv6 *out* Rule."
> > block out quick log inet6 to any label "Rule:$nr on $if interface -
> > Cleanup IPv6 *out* Rule."
> > block in quick log inet from any label "Rule:$nr on $if interface -
> > Cleanup IPv4 *in* Rule."
> > block in quick log inet to any label "Rule:$nr on $if interface -
> > Cleanup IPv4 *in* Rule."
> > block out quick log inet from any label "Rule:$nr on $if interface -
> > Cleanup IPv4 *out* Rule."
> > block out quick log inet to any label "Rule:$nr on $if interface -
> > Cleanup IPv4 *out* Rule."
> > block quick log all label "Rule:$nr on $if interface - Last
> > match Cleanup Rule."
> > block log label "Rule:$nr on $if interface -
> > Stateless Cleanup Rule."
> >
>
> --
>
--
