From owner-freebsd-pf@FreeBSD.ORG  Sat Jun 25 17:13:00 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 639B916A41C
	for <freebsd-pf@freebsd.org>; Sat, 25 Jun 2005 17:13:00 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2CAB343D1F
	for <freebsd-pf@freebsd.org>; Sat, 25 Jun 2005 17:13:00 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local.net (unknown [62.3.210.251])
	by smtp.nildram.co.uk (Postfix) with ESMTP id A0749253696
	for <freebsd-pf@freebsd.org>; Sat, 25 Jun 2005 18:12:55 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: <freebsd-pf@freebsd.org>
Date: Sat, 25 Jun 2005 18:12:56 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcV5pVfsFg1cGEOxRlq19uQOeZwi8AAAxRcQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
In-Reply-To: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net>
Message-Id: <20050625171256.F366A28@gw2.local.net>
Subject: RE: Outbound SSH problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2005 17:13:00 -0000

 
> block drop out quick on em0 proto tcp from any to any port = ssh [
> Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ]
> 
> block drop out quick on em0 proto udp from any to any port = ssh [
> Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ]
> 
>  
> 
> My 5.3 server (the oldest I have at this location) used to 
> show these blocked packets in the log but now doesn't and my 
> 5.4 machines never have.
> I only see them on the daily security run.  
> 
>  
> 
> My question is, are my servers compromised or am I misreading 
> the run output?  I find it hard to believe that they are 
> compromised simply because the latest server I setup, every 
> file system is mounted read only yet I still have this 
> output.  As you can imagine I'm pretty nervous about this and 
> any help would be awesome!

Yes, RTFMP , with a default policy of block, there is no need for specific
rules to stop things like outbound ssh traffic. 

Logging will tell you the rest. 



Greg