> OK, so about these rules: > > @1 block return in log all > @2 pass out quick on sis0 proto tcp all flags S/SA modulate state > @3 pass out all flags S/SA keep state > > I still don't see how that "opens any ports" for outbound traffic > returning as part of a request from inbound traffic. All traffic > inbound on an interface should be blocked; like I mentioned earlier > (although I realize I didn't quite say it right) any ingress traffic > headed anywhere is blocked unless a later rule allows it to pass. I'm > not filtering egress traffic because if the inbound traffic is already > blocked by default, that should be enough to prevent the > connection...right? To me it made more conceptual sense to only block > one direction, instead of both... and unless I am mistaken (as it > appears I am), I thought that this approach would be sufficient to > supply a default deny policy to all of my interfaces.
Soooo, on this note. I had some time yesterday to do some more troubleshooting and I believe that yes pf is working the way I think it is. I replaced my external connection with a crossover cable to a laptop with nmap installed on it. With pf turned off, it dutifully reports that SSH is running. With pf turned on, it can't find any open ports. I'm going to assume (for better or worse) that the report of hundreds of open ports I saw from my scan at work is the result of something strange happening that I'm not aware of. I know I hit all kinds of proxies and packet manglers on my way out to the world and back to my Soekris so perhaps something is happening there, that I don't fully understand. But... at least it appears that my ruleset does more or less work like I think it does.
