On 2017/12/04 15:17, Rolf Loudon wrote:
> I’m both new to pf and struggling with what I thought was a simple
> idea. This is on a laptop, not a firewall per se. I want to (a) allow
> incoming ssh connections for a small list of addresses, and (b) block
> other inbound ssh. No outbound restrictions at all.
>
> Can’t make it work. /etc/pf.conf:
>
> table <mytable> { 192.168.10.13, 192.168.10.14, 192.168.100.1 }
>
> pass in proto tcp from <mytable> port ssh
> block in proto tcp from any port ssh
> block in log all
>
> I also thought that using ‘quick’ on the second rule would obviate the
> need for the generic last block. So achieving it in two rules, just
> like what my specification is.
>
> I’ve tried many variation. I think I’m missing some understanding. I
> know the rules are being observed because I can put in very basic
> statements like blocking a certain IP address for any service and that
> works.
Normally, PF runs through the whole ruleset, and the last matching rule
wins. This can be short-circuited with "quick" which terminates ruleset
processing if a "quick" rule matches.
This will do what you want:
table <mytable> { 192.168.10.13, 192.168.10.14, 192.168.100.1 }
block log
pass in proto tcp from <mytable> port ssh
It is usually helpful for the first rule to block *all* packets. There is
an implicit default rule (equivalent to "pass flags any no state") and
things can get confusing if you have some traffic being allowed by this.
