Date: Sat, 4 Jun 2022 16:05:52 -0400 From: George Mitchell <george+freebsd@m5p.com> To: FreeBSD Hackers <freebsd-hackers@FreeBSD.org> Subject: Dumb pf.conf question Message-ID: <d724092e-5be0-77a4-7d1f-af3a857585f5@m5p.com>
next in thread | raw e-mail | index | archive | help
Due to an execss (to put it politely) of packets originating from IPv4-address-that-shall-not-be-mentioned, I decided to fix up my pf.conf file, which in very general terms looks like this: (a bunch of macro definitions: ext_if = external interface, int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120, internal_net = 10.0.0.0/8) (a couple of table definitions) (no options, traffic normalization, or queueing) scrub in all nat on $ext_if from $internal_net to any -> ($ext_if) (a bunch of rdr statements, none of which contain "quick") block all pass quick on lo0 pass quick on $int_if pass quick from $internal_ipv6 pass quick to $internal_ipv6 #nuisance ssh logins block quick on $ext_if from (nasty address) (lots more packet filtering rules that work) But that next-to-last line is not stopping packets from nasty address. What did I do wrong?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d724092e-5be0-77a4-7d1f-af3a857585f5>