On 2017/12/04 15:17, Rolf Loudon wrote: > I’m both new to pf and struggling with what I thought was a simple > idea. This is on a laptop, not a firewall per se. I want to (a) allow > incoming ssh connections for a small list of addresses, and (b) block > other inbound ssh. No outbound restrictions at all. > > Can’t make it work. /etc/pf.conf: > > table <mytable> { 192.168.10.13, 192.168.10.14, 192.168.100.1 } > > pass in proto tcp from <mytable> port ssh > block in proto tcp from any port ssh > block in log all > > I also thought that using ‘quick’ on the second rule would obviate the > need for the generic last block. So achieving it in two rules, just > like what my specification is. > > I’ve tried many variation. I think I’m missing some understanding. I > know the rules are being observed because I can put in very basic > statements like blocking a certain IP address for any service and that > works.
Normally, PF runs through the whole ruleset, and the last matching rule wins. This can be short-circuited with "quick" which terminates ruleset processing if a "quick" rule matches. This will do what you want: table <mytable> { 192.168.10.13, 192.168.10.14, 192.168.100.1 } block log pass in proto tcp from <mytable> port ssh It is usually helpful for the first rule to block *all* packets. There is an implicit default rule (equivalent to "pass flags any no state") and things can get confusing if you have some traffic being allowed by this.