From owner-freebsd-questions@FreeBSD.ORG Fri Jan 22 13:22:56 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B02AB106568D for ; Fri, 22 Jan 2010 13:22:56 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-px0-f190.google.com (mail-px0-f190.google.com [209.85.216.190]) by mx1.freebsd.org (Postfix) with ESMTP id 8AAC58FC0A for ; Fri, 22 Jan 2010 13:22:56 +0000 (UTC) Received: by pxi28 with SMTP id 28so838340pxi.7 for ; Fri, 22 Jan 2010 05:22:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=nOIDWhj23GLlXPTMguJyrCgO7IfTNWc6o7PovXjfP3g=; b=xrFISLfJ9zR1yKXKE3r0Jpnjl+6t8NEJDirJ+ZM7dEAmyiaGp5HG7tOKG1xK7EYL60 PCZWbI7yj4vvUrKO8fVTstzC+TblXgNN9NRPvPaoVJ4A2N5AehpmGLPehr/P00D8z4eL 6qzd7Vg0o/i06gNWq2ROeznM279Ya9Wv0R5bo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=c2N2n6WyC7aaMv1eR7WuLbK3fKD4PC0OZC5qeTDIq+m+mIunmpjGY8vqNxOovZb0EH wCOQGMrOyAtmmP19SWzXq+VSGRGMCXbUg5yfp0wymBb0sEWw0TKzVyTzuOL2hGbB9wn1 ZXrWPnkX54iBeXNn+BnCizk7vOJ8txI69myiY= MIME-Version: 1.0 Received: by 10.115.39.26 with SMTP id r26mr2005424waj.29.1264166575999; Fri, 22 Jan 2010 05:22:55 -0800 (PST) In-Reply-To: <4B594FC0.3010200@el.net> References: <4B594FC0.3010200@el.net> Date: Fri, 22 Jan 2010 06:22:55 -0700 Message-ID: From: Tim Judd To: kalin m Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 13:22:56 -0000 On 1/22/10, kalin m wrote: > > hi all... > > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: > > tcp_in = "{ www, https }" > ftp_in = "{ ftp }" > udp = "{ domain, ntp }" > ping = "echoreq" > > set skip on lo > scrub in > > antispoof for eth0 inet > > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > pfctl -s info Look for the fact it says "Enabled" (near the top of the screen) and you're blocking inbound all, but since you're passing out all, telnetting out will work. You aren't very clear on which side you have the pf loaded on, the email indicates it's the client-side you have pf enabled. Please clarify. --TJ