H�kan Kvist <[EMAIL PROTECTED]> writes:
> I want to only let certain ip-ranges to have SSH-access.
So far so good.
> So I typed in the following rule:
>
> pass in quick on $ext proto tcp from { xx.xx.xx.xx/xx , xx.xx.xx.xx/xx \
> xx.xx.xx.xx/xx , ... } to xx.xx.xx.xx/xx port 22 keep state
Meaning, some ranges get to connect on port 22.
> And that works fine, however incoming connections dosn't get blocked, i.e
> ssh hangs for a while when trying to connect.
You mean other connections from the ones not in your rule get through?
Well, to properly diagnose, we need the rest of your rule set. The quick
rule means the rest of the rules are never evaluated if a connection
matches. If you have other rules after this allowing others in (or for
that matter a too permissive pass rule before it), you could be letting
others connect.
> nmap also says the port is in state filtered.
I don't see why not. Have you tried using nmap from an address in your
pass rule?
> Can I get pf to report the port as closed instead or would that be unwise?
nmap and pf are separate things. I assume a scan from somewhere blocked
will show it as closed.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
