<snip> > > ATTACHMENT part 2 application/octet-stream name=pf.conf.20041015 > > I took a look and I can say that you should redesign the whole thing. The > common and effective > strategy is to take a block (in ext_if) by default stance. Then, still > common, because it > makes things simple, you allow all traffic out and keep state on it.
Actually, I already do that. The "block log all" takes care of that. > This rule is allowing your box to be attacked: > > pass in log on $ext_if proto tcp from any to <protected> port $tcp_in keep > state > > Where port 22 is included in $tcp_in. Why are you allowing hosts to connect > to your box from > the internet? Do *you* need to do this? Very bad idea. If you must then at > least make it so > sshd will not allow root to connect directly (see /etc/ssh/sshd_config and > look at > PermitRootLogin parameter). You may also want to be less open by not using > the "any" keyword. Yes I do need this. My boss and I frequently ssh to the computers behind the firewall. It's not so much that I'm concerned about the attacks as I am about why traffic is getting through that shouldn't be. After I added an IP to my block list, some packets still got through (although most do not). Thanks, Joe ===== "An eye for an eye soon makes the whole world blind." --Mahatma Gandhi
