Date: Fri, 10 Feb 2017 15:19:26 -0800 From: Doug Niven <dniven@ucsc.edu> To: Jon Radel <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: Re: PF question Message-ID: <CAFcpV2Ot%2Bf806ifAdOhAqbX2Zq%2BJAgkbGzQRTq%2BTJatnYcXCAQ@mail.gmail.com> In-Reply-To: <4e2d0f1d-5904-1a14-0bcc-0ed3ce39a716@radel.com> References: <CAFcpV2Pfv%2BBOhMR3keWj9P1tPfDC8OxeGghHvyDeHN2O8-8NVg@mail.gmail.com> <4e2d0f1d-5904-1a14-0bcc-0ed3ce39a716@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jon, Shamin,
I think you guys answered my question already. The following seems to
do the trick:
pass in proto tcp from <friendlies> to (self) port {22} flags
I'm on OSX and something the Ethernet interface is assigned different
names, depending on how the machine is connected, but this seems to
work in my initial tests.
Thanks for your speedy help!
Doug
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Doug Niven
Academic Computing Expert
University of California, Santa Cruz
Tel (831) 459-4401
Engineering 2, room 405E
~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Fri, Feb 10, 2017 at 3:13 PM, Jon Radel <jon@radel.com> wrote:
> On 2/10/17 5:50 PM, Doug Niven wrote:
>
>> The following PF rule successfully blocks out "off campus" traffic to
>> port 22, but it only blocks it if the interface name is "en0"
>
> ?? OK, one of us is a bit confused--might be me though.
>
> That should already block all inbound traffic to port 22 on any
> interface with a single exception: The only traffic that is *allowed*
> is that arriving on en0 from an address in <friendlies> to an interface
> address on en0.
>
> Are you actually seeing allowed traffic on other interfaces port 22?
>
>>
>> How can I tweak this so it will block out port 22 for ANY/ALL
>> interfaces on the host, even if I don't know their names?
>
> Like this:
>
> block in proto tcp from any to any port {22}
>
> If you don't specify one or more interfaces it applies to all
> interfaces, which why PF rulesets generally a pretty permissive rule
> somewhere for loopback interface(s); all sorts of things break if you
> filter your loopback interface(s)....
>
>>
>>
>> table <friendlies> { 111.222.0/16, 222.333.0.0/16 } persist
>> block in proto tcp from any to any port {22}
>> pass in on en0 proto tcp from <friendlies> to (en0) port {22}
>> flags S/SA keep state
>
> Or are you asking how to selectively *allow* inbound ssh traffic to
> interfaces other than en0?
>
> --
> --Jon Radel
> jon@radel.com
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFcpV2Ot%2Bf806ifAdOhAqbX2Zq%2BJAgkbGzQRTq%2BTJatnYcXCAQ>