From owner-freebsd-questions@freebsd.org Fri Feb 10 23:19:47 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1EB1CD9C61 for ; Fri, 10 Feb 2017 23:19:47 +0000 (UTC) (envelope-from dniven@ucsc.edu) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 92DC0DCC for ; Fri, 10 Feb 2017 23:19:47 +0000 (UTC) (envelope-from dniven@ucsc.edu) Received: by mail-it0-x22f.google.com with SMTP id c7so152279337itd.1 for ; Fri, 10 Feb 2017 15:19:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucsc.edu; s=ucsc-google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oHOHp67YkegqCbanQSj3qVTbInV+fvarX7ioDZ3alck=; b=DTged6vm9ztbzllzNEUczeMm3cT+9T9uuAzIiAcZnMSpurqR4TMRioPzu3NLyY/YmP Ffpj5r9DSQ5mSxd8LmUooYd4qxD2yF/MYF+W3KPhjys3jsq50k+BTXNrj2wbKPHxa2L+ likVKcmWKlWqqoTiob58gVlDOYwQxC58lsYCM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oHOHp67YkegqCbanQSj3qVTbInV+fvarX7ioDZ3alck=; b=H0Ez0PbTAHWa2D4A4ObwH6VGwNtkfFM+f0GKYHF+zFJE5XEdyVb99ZcFJSxzSd25I6 tZ0k09b95TDRQqbMbkpYxmfQITgmMBFV6V8FnN1WcNIOobf+97Ka7gNb2tsz0+aqq356 W1SFAFXReLZdFIVVcQjUJdLxHW9nGMUSURDC+GV1woLmI2b2oB+SIWsv74BXawIEjQlQ WbcfilcwE+dqJQy6+ULV1Jq0gZ0/vtxSOIxFWaVwHzxnKFy2AUUG0ce2vtM8XKFVtaqI 9y1nt0T4IdfAAaLyOkT/P5ApFRb6rbiWfZEP/4UY9JKvuj+9Ar6ujTCgcEPKAXbSk/5K qZ4g== X-Gm-Message-State: AIkVDXKHlP9wczFs4eVQCYyThxJcc4cIjgf0WOJLqWvVNEoSDXFbohb+eGJqwGyt0jmbjKXcJAyA/taolhmE3pba X-Received: by 10.36.28.85 with SMTP id c82mr28670335itc.49.1486768786840; Fri, 10 Feb 2017 15:19:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.115.5 with HTTP; Fri, 10 Feb 2017 15:19:26 -0800 (PST) In-Reply-To: <4e2d0f1d-5904-1a14-0bcc-0ed3ce39a716@radel.com> References: <4e2d0f1d-5904-1a14-0bcc-0ed3ce39a716@radel.com> From: Doug Niven Date: Fri, 10 Feb 2017 15:19:26 -0800 Message-ID: Subject: Re: PF question To: Jon Radel Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2017 23:19:47 -0000 Hi Jon, Shamin, I think you guys answered my question already. The following seems to do the trick: pass in proto tcp from to (self) port {22} flags I'm on OSX and something the Ethernet interface is assigned different names, depending on how the machine is connected, but this seems to work in my initial tests. Thanks for your speedy help! Doug ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doug Niven Academic Computing Expert University of California, Santa Cruz Tel (831) 459-4401 Engineering 2, room 405E ~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Fri, Feb 10, 2017 at 3:13 PM, Jon Radel wrote: > On 2/10/17 5:50 PM, Doug Niven wrote: > >> The following PF rule successfully blocks out "off campus" traffic to >> port 22, but it only blocks it if the interface name is "en0" > > ?? OK, one of us is a bit confused--might be me though. > > That should already block all inbound traffic to port 22 on any > interface with a single exception: The only traffic that is *allowed* > is that arriving on en0 from an address in to an interface > address on en0. > > Are you actually seeing allowed traffic on other interfaces port 22? > >> >> How can I tweak this so it will block out port 22 for ANY/ALL >> interfaces on the host, even if I don't know their names? > > Like this: > > block in proto tcp from any to any port {22} > > If you don't specify one or more interfaces it applies to all > interfaces, which why PF rulesets generally a pretty permissive rule > somewhere for loopback interface(s); all sorts of things break if you > filter your loopback interface(s).... > >> >> >> table { 111.222.0/16, 222.333.0.0/16 } persist >> block in proto tcp from any to any port {22} >> pass in on en0 proto tcp from to (en0) port {22} >> flags S/SA keep state > > Or are you asking how to selectively *allow* inbound ssh traffic to > interfaces other than en0? > > -- > --Jon Radel > jon@radel.com >