Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jan 2010 11:21:16 -0500
From:      kalin m <kalin@el.net>
To:        =?ISO-8859-1?Q?R=E9mi_LAURENT?= <cloud@madpowah.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: pf rules
Message-ID:  <4B59D07C.2020601@el.net>
In-Reply-To: <b0379ed1bb8e9bc1e2a0c9379f756991.squirrel@webmail.domaine-interne.org>
References:  <4B5958E2.9010509@el.net> <b0379ed1bb8e9bc1e2a0c9379f756991.squirrel@webmail.domaine-interne.org>
next in thread | previous in thread | raw e-mail | index | archive | help 



# pfctl -s rules
scrub in all fragment reassemble
block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any
block drop in inet from xxx.xxx.xxx.xxx to any
block drop in all
pass out all flags S/SA keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = ntp keep state
pass inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = http flags S/FSA synproxy 
state
pass in inet proto tcp from any to any port = https flags S/FSA synproxy 
state
pass proto tcp from any to any port = ssh flags S/SA keep state




Rémi LAURENT wrote:
> Hi,
>
> Maybe you can give us the result of a pfctl -s rules because i don't see
> how you can have this connection.
>   
>> hi all...
>>
>> doing testing with pf...
>>
>> how is it possible that if i have these rules below in pf.conf if i do:
>> telnet that.host.org 25
>>
>> i get:
>> Trying xx.xx.xx.xx...
>> Connected to that.host.org.
>> Escape character is '^]'.
>> ........... etc .......
>>
>>
>> pf.conf contetns:
>>
>> tcp_in = "{ www, https }"
>> ftp_in = "{ ftp }"
>> udp = "{ domain, ntp }"
>> ping = "echoreq"
>>
>> set skip on lo
>> scrub in
>>
>> antispoof for eth0 inet
>>
>> block in all
>> pass out all keep state
>> pass proto udp to any port $udp
>> pass inet proto icmp all icmp-type $ping keep state
>> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
>> pass proto tcp to any port ssh
>>
>>
>>
>> thanks....
>>
>>
>>
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe@freebsd.org"
>>
>>     
>
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B59D07C.2020601>