Date: Sat, 25 Jun 2005 18:12:56 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: <freebsd-pf@freebsd.org> Subject: RE: Outbound SSH problem Message-ID: <20050625171256.F366A28@gw2.local.net> In-Reply-To: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> block drop out quick on em0 proto tcp from any to any port = ssh [ > Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] > > block drop out quick on em0 proto udp from any to any port = ssh [ > Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] > > > > My 5.3 server (the oldest I have at this location) used to > show these blocked packets in the log but now doesn't and my > 5.4 machines never have. > I only see them on the daily security run. > > > > My question is, are my servers compromised or am I misreading > the run output? I find it hard to believe that they are > compromised simply because the latest server I setup, every > file system is mounted read only yet I still have this > output. As you can imagine I'm pretty nervous about this and > any help would be awesome! Yes, RTFMP , with a default policy of block, there is no need for specific rules to stop things like outbound ssh traffic. Logging will tell you the rest. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050625171256.F366A28>