From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 16:21:18 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DF4A106566C for ; Fri, 22 Jan 2010 16:21:18 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id 9D6778FC24 for ; Fri, 22 Jan 2010 16:21:17 +0000 (UTC) Received: (qmail 82488 invoked by uid 1008); 22 Jan 2010 17:37:11 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 17:37:11 -0000 Message-ID: <4B59D07C.2020601@el.net> Date: Fri, 22 Jan 2010 11:21:16 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: =?ISO-8859-1?Q?R=E9mi_LAURENT?= References: <4B5958E2.9010509@el.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 16:21:18 -0000 # pfctl -s rules scrub in all fragment reassemble block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any block drop in inet from xxx.xxx.xxx.xxx to any block drop in all pass out all flags S/SA keep state pass out inet proto udp from any to any port 33433 >< 33626 keep state pass proto udp from any to any port = domain keep state pass proto udp from any to any port = ntp keep state pass inet proto icmp all icmp-type echoreq keep state pass in inet proto tcp from any to any port = http flags S/FSA synproxy state pass in inet proto tcp from any to any port = https flags S/FSA synproxy state pass proto tcp from any to any port = ssh flags S/SA keep state Rémi LAURENT wrote: > Hi, > > Maybe you can give us the result of a pfctl -s rules because i don't see > how you can have this connection. > >> hi all... >> >> doing testing with pf... >> >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... >> >> >> pf.conf contetns: >> >> tcp_in = "{ www, https }" >> ftp_in = "{ ftp }" >> udp = "{ domain, ntp }" >> ping = "echoreq" >> >> set skip on lo >> scrub in >> >> antispoof for eth0 inet >> >> block in all >> pass out all keep state >> pass proto udp to any port $udp >> pass inet proto icmp all icmp-type $ping keep state >> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state >> pass proto tcp to any port ssh >> >> >> >> thanks.... >> >> >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> >> > > >