On Wed, 15 Jun 2005 20:06:41 +0000 (UTC), H�kan Kvist
<[EMAIL PROTECTED]> wrote:
>Hi
>
>I have a question, with a hopefully simple answer :-)
>
>I have a transparent OpenBSD/pf firwall protecting a range of public
>ip-adresses.
>
>I want to only let certain ip-ranges to have SSH-access.
>
>So I typed in the following rule:
>
>pass in quick on $ext proto tcp from { xx.xx.xx.xx/xx , xx.xx.xx.xx/xx \
>xx.xx.xx.xx/xx , ... } to xx.xx.xx.xx/xx port 22 keep state
Using a table here is tidier and doesnt expand to larger set of rules.
>And that works fine, however incoming connections dosn't get blocked, i.e
>ssh hangs for a while when trying to connect.
That's because you have block policy set to drop.
>
>nmap also says the port is in state filtered.
>
>Can I get pf to report the port as closed instead or would that be unwise?
Yes, set it globally via
set block-policy return
Being a good internet citizen by returning an RST or icmp unreachable as
per the RFCs is not unwise and is to be lauded.
greg
--
"Fair trade bears a suspicious likeness to our old friend protection.
Protection was dead and buried 30 years ago, but he has come out of the grave
and is walking around in the broad light of day. But after long experience
underground, he endeavours to look more attractive than he used to appear...
and in consequence he found it convenient to assume a new name."
