From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 26 16:07:17 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4164C16A420
	for <freebsd-questions@freebsd.org>;
	Mon, 26 Sep 2005 16:07:17 +0000 (GMT) (envelope-from matt@atopia.net)
Received: from neptune.atopia.net (neptune.atopia.net [209.128.231.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8468543D53
	for <freebsd-questions@freebsd.org>;
	Mon, 26 Sep 2005 16:07:16 +0000 (GMT) (envelope-from matt@atopia.net)
Received: from [192.168.0.102] (pcp173257pcs.plsntv01.nj.comcast.net
	[68.46.70.16])
	by neptune.atopia.net (Postfix) with ESMTP id 899A06135
	for <freebsd-questions@freebsd.org>;
	Mon, 26 Sep 2005 12:07:15 -0400 (EDT)
Message-ID: <43381CB3.70003@atopia.net>
Date: Mon, 26 Sep 2005 12:07:15 -0400
From: Matt Juszczak <matt@atopia.net>
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050701)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: PF default to deny
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2005 16:07:17 -0000

hi all,

I have a firewall on my FreeBSD machine.  Someone must have taken it 
down for testing or something because I just checked today, and realized 
that it was disabled.

Checking the auth logs, attempts to login from overseas IP's, etc. have 
been occuring for at least a week.

Two quick questions:

1)  SSH, SMUX, CVSPSERVER, and MYSQL were open to the world for about a 
week..... I've checked through the auth.log file, done a chkrootkit, 
checked lastlogin, etc.... nothing seems out of the ordinary other than 
unsuccessful attempts at random usernames, etc.  Does anyone have any 
other ideas on what I can check?

2) Is there a way to set pf to default to deny?  That way, if I disable 
it for testing, it wont kick my existing SSH session out (I'll have keep 
state set), but it will DENY any new connections.  I'd rather have to go 
to the colo place cause I messed up then get something hacked because I 
messed up.


Thanks!

-Matt