From owner-freebsd-questions@freebsd.org  Thu Dec  8 21:44:47 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52052C6E703
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  8 Dec 2016 21:44:47 +0000 (UTC)
 (envelope-from byrnejb@harte-lyne.ca)
Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca
 [216.185.71.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "inet08.hamilton.harte-lyne.ca",
 Issuer "CA HLL ISSUER 01" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0C1191E5A
 for <freebsd-questions@freebsd.org>; Thu,  8 Dec 2016 21:44:46 +0000 (UTC)
 (envelope-from byrnejb@harte-lyne.ca)
Received: from localhost (localhost [127.0.0.1])
 by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id E6FE062202
 for <freebsd-questions@freebsd.org>; Thu,  8 Dec 2016 16:44:44 -0500 (EST)
X-Virus-Scanned: amavisd-new at harte-lyne.ca
Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1])
 by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id radZ1rQWB2iE for <freebsd-questions@freebsd.org>;
 Thu,  8 Dec 2016 16:44:43 -0500 (EST)
Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca
 [216.185.71.24])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 5E94C62201
 for <freebsd-questions@freebsd.org>; Thu,  8 Dec 2016 16:44:42 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca;
 s=dkim_hll; t=1481233483;
 bh=gsW1E/McDRHoyoffMdgzhZ17seW43c7PIKS7A4Ffl8k=;
 h=In-Reply-To:References:Date:Subject:From:To:Reply-To;
 b=lAGXSTOoJfGFZjn4MwFj+XfJ8IhgrcojwZKAUXs6df/PXX5E12uFUDDIceZtJ4wti
 e2qngO9cPZWhKVfx6Xqllg0dRom/P4Klt5/M3lw+0DzccQCLJ4j5c07HX/M7qXBsrx
 Sn68q1zIsEYEpVvwAKGQYBBKy/+ROAkf5IRirT42bKy/fbynHLvNs1xI0Ja2YmAmfT
 5NSpSdJyIrWaJlQfvrsxIzu56PdDyBrpaI77hf+GM5xEOjkBTPWiPthF7eRn1kRWpD
 R8ETAWdgxaUNdNXvvjcOHueE9mUZmSwm+f1rM47MCAEC4Qd/sZm5Qh8WaNMJotWxcG
 cCbevX08KO3qA==
Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll)
 by webmail.harte-lyne.ca with HTTP; Thu, 8 Dec 2016 16:44:43 -0500
Message-ID: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca>
In-Reply-To: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca>
References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca>
Date: Thu, 8 Dec 2016 16:44:43 -0500
Subject: Re: FreeBSD Firewalls
From: "James B. Byrne" <byrnejb@harte-lyne.ca>
To: freebsd-questions@freebsd.org
Reply-To: byrnejb@harte-lyne.ca
User-Agent: SquirrelMail/1.4.22-4.el6
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2016 21:44:47 -0000


I am experimenting with PF.  I have a basic configuration working.  At
least I have not cut myself off from the system, yet.

I connect to the experimental host via ssh -X.  On that host I
have these PF rules:

. . .
# If you cannot trust yourself then who can you trust?
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# Block everything but recall that last match applies
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Block untrusted ips on control channels
block return in quick on $int_if proto tcp from ! $trust_clients to
$int_if port $tcp_control

. .

# diagnostics
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
keep state

# system admin channels - keep these at the end
pass in  proto tcp from $localnet to any port $tcp_control keep state
pass out proto tcp to any port $tcp_control keep state


With these rules in effect when I run gvim from the sh -X session on
the FreeBSD host I get this error:

gvim /etc/pf.conf
  backupdir=~/.vim/tmp

E233: cannot open display
Press ENTER or type command to continue

If the firewall is not enabled then the gvim X-window opens on my
remote desktop (gnome2) without error.

What ports, besides 22, is gvim trying to open?  Why is this traffic
not passed (tunnelled) along the established ssh connection?

Thanks,


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3