Date: Fri, 22 Jan 2010 06:22:55 -0700 From: Tim Judd <tajudd@gmail.com> To: kalin m <kalin@el.net> Cc: freebsd-questions@freebsd.org Subject: Re: pf rules Message-ID: <ade45ae91001220522h5538a4c5k96f129234d51e850@mail.gmail.com> In-Reply-To: <4B594FC0.3010200@el.net> References: <4B594FC0.3010200@el.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/22/10, kalin m <kalin@el.net> wrote:
>
> hi all...
>
> doing testing with pf...
>
> how is it possible that if i have these rules below in pf.conf if i do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
>
>
> pf.conf contetns:
>
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
>
> set skip on lo
> scrub in
>
> antispoof for eth0 inet
>
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
>
>
pfctl -s info
Look for the fact it says "Enabled" (near the top of the screen)
and you're blocking inbound all, but since you're passing out all,
telnetting out will work. You aren't very clear on which side you
have the pf loaded on, the email indicates it's the client-side you
have pf enabled. Please clarify.
--TJ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ade45ae91001220522h5538a4c5k96f129234d51e850>