Outbound SSH problem
Greg Hennessy
Greg.Hennessy at nviz.net
Sat Jun 25 17:13:00 GMT 2005
> block drop out quick on em0 proto tcp from any to any port = ssh [
> Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ]
>
> block drop out quick on em0 proto udp from any to any port = ssh [
> Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ]
>
>
>
> My 5.3 server (the oldest I have at this location) used to
> show these blocked packets in the log but now doesn't and my
> 5.4 machines never have.
> I only see them on the daily security run.
>
>
>
> My question is, are my servers compromised or am I misreading
> the run output? I find it hard to believe that they are
> compromised simply because the latest server I setup, every
> file system is mounted read only yet I still have this
> output. As you can imagine I'm pretty nervous about this and
> any help would be awesome!
Yes, RTFMP , with a default policy of block, there is no need for specific
rules to stop things like outbound ssh traffic.
Logging will tell you the rest.
Greg
More information about the freebsd-pf
mailing list