From owner-freebsd-pf@FreeBSD.ORG  Sun Jun 26 15:30:13 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 412E616A41C
	for <freebsd-pf@freebsd.org>; Sun, 26 Jun 2005 15:30:13 +0000 (GMT)
	(envelope-from terry@twopeasinabucket.com)
Received: from outbound4.mail.tds.net (outbound4.mail.tds.net [216.170.230.94])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F32A143D49
	for <freebsd-pf@freebsd.org>; Sun, 26 Jun 2005 15:30:12 +0000 (GMT)
	(envelope-from terry@twopeasinabucket.com)
Received: from tj (vrnawibas01-pool4-a241.vrnawi.tds.net [69.128.144.241])
	by outbound4.mail.tds.net (8.13.4/8.12.2) with ESMTP id j5QFUBZU007706
	for <freebsd-pf@freebsd.org>; Sun, 26 Jun 2005 10:30:12 -0500 (CDT)
Message-Id: <200506261530.j5QFUBZU007706@outbound4.mail.tds.net>
From: "Ninneman, TJ" <terry@twopeasinabucket.com>
To: <freebsd-pf@freebsd.org>
Date: Sun, 26 Jun 2005 10:30:11 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcV6YnJzs7QgMSFgQYCwVzm7Vll0MAAAESgQAABJmCA=
Subject: Outbound SSH problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2005 15:30:13 -0000



>Yes, RTFMP , with a default policy of block, there is no need for specific
>rules to stop things like outbound ssh traffic. 
>
>Logging will tell you the rest. 

Yes, I'm compromised or yes, I'm misreading the output?  Like I said in my
original post, logging isn't telling me anything; just the daily security
run or /var/log/pf.today.  While a default to deny policy will stop outbound
ssh, you'll notice in my ruleset that I am allowing everything out on this
server so that rule is necessary.  

I just really would like to know if these outbound ssh packets are nothing
or if I have a problem on my hands. 

Thanks for the help!

Terry J. Ninneman