Assuming that you have a general:
block all
statement at the beginning of your ruleset to compliment the pass rule
you listed, then the connections are indeed getting blocked. It is just
that the packets are being silently dropped so the connecting ssh
doesn't know that it has been thwarted.
Try adding:
set block-policy return
at the top of your ruleset so that pf will kindly return something to
the connecting client (something appropriate based on the type of
connection attempt) to tell it to give up.
-David
H�kan Kvist wrote:
Hi
I have a question, with a hopefully simple answer :-)
I have a transparent OpenBSD/pf firwall protecting a range of public
ip-adresses.
I want to only let certain ip-ranges to have SSH-access.
So I typed in the following rule:
pass in quick on $ext proto tcp from { xx.xx.xx.xx/xx , xx.xx.xx.xx/xx \
xx.xx.xx.xx/xx , ... } to xx.xx.xx.xx/xx port 22 keep state
And that works fine, however incoming connections dosn't get blocked, i.e
ssh hangs for a while when trying to connect.
nmap also says the port is in state filtered.
Can I get pf to report the port as closed instead or would that be unwise?
regards
H�kan
