On 2005-06-15, Greg Hennessy <[EMAIL PROTECTED]> wrote:
> On Wed, 15 Jun 2005 20:06:41 +0000 (UTC), Håkan Kvist
><[EMAIL PROTECTED]> wrote:
>
>>Hi
>>
>>I have a question, with a hopefully simple answer :-)
>>
>>I have a transparent OpenBSD/pf firwall protecting a range of public
>>ip-adresses.
>>
>>I want to only let certain ip-ranges to have SSH-access.
>>
>>So I typed in the following rule:
>>
>>pass in quick on $ext proto tcp from { xx.xx.xx.xx/xx , xx.xx.xx.xx/xx \
>>xx.xx.xx.xx/xx , ... } to xx.xx.xx.xx/xx port 22 keep state
>
> Using a table here is tidier and doesnt expand to larger set of rules.
>
>
>>And that works fine, however incoming connections dosn't get blocked, i.e
>>ssh hangs for a while when trying to connect.
>
> That's because you have block policy set to drop.
>
>>
>>nmap also says the port is in state filtered.
>>
>>Can I get pf to report the port as closed instead or would that be unwise?
>
> Yes, set it globally via
>
> set block-policy return
>
> Being a good internet citizen by returning an RST or icmp unreachable as
> per the RFCs is not unwise and is to be lauded.
>
>
> greg
>
Thanks alot, that looks exactly like what I want to do, I'll try it out
tomorrow.
regards
Håkan
--
Håkan Kvist
Real address is hagar_snabela_df_punkt_lth_se
replace snabela with "@", punkt with "."
remove _
