Site Navigation

Date:      Thu, 8 Dec 2016 16:44:43 -0500
From:      "James B. Byrne" <byrnejb@harte-lyne.ca>
To:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD Firewalls
Message-ID:  <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca>
In-Reply-To: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca>
References:  <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

I am experimenting with PF.  I have a basic configuration working.  At
least I have not cut myself off from the system, yet.

I connect to the experimental host via ssh -X.  On that host I
have these PF rules:

. . .
# If you cannot trust yourself then who can you trust?
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# Block everything but recall that last match applies
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Block untrusted ips on control channels
block return in quick on $int_if proto tcp from ! $trust_clients to
$int_if port $tcp_control

. .

# diagnostics
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
keep state

# system admin channels - keep these at the end
pass in  proto tcp from $localnet to any port $tcp_control keep state
pass out proto tcp to any port $tcp_control keep state


With these rules in effect when I run gvim from the sh -X session on
the FreeBSD host I get this error:

gvim /etc/pf.conf
  backupdir=~/.vim/tmp

E233: cannot open display
Press ENTER or type command to continue

If the firewall is not enabled then the gvim X-window opens on my
remote desktop (gnome2) without error.

What ports, besides 22, is gvim trying to open?  Why is this traffic
not passed (tunnelled) along the established ssh connection?

Thanks,


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0a48b8819c28d211b5ec390007bc81a7.squirrel>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact