Outbound SSH problem
Max Laier
max at love2party.net
Sun Jun 26 15:49:17 GMT 2005
On Saturday 25 June 2005 18:45, Ninneman, TJ wrote:
> I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF.
> My ruleset explicitly blocks outbound ssh from my servers to prevent
> attacks on other servers in the event that one of my servers is
> compromised. The problem is that I have noticed (after a few days of the
> server being up) my daily run output showing both TCP and UDP packets being
> dropped outbound:
>
> block drop out quick on em0 proto tcp from any to any port = ssh [
> Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ]
~~~~~~~~~~~ ^ ^
>
> block drop out quick on em0 proto udp from any to any port = ssh [
> Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ]
~~~~~~~~~~~ ^ ^
> My question is, are my servers compromised or am I misreading the run
> output?
You are misreading the output. The "Evaluations" counter only shows that a
packet was checked against the rule, unless Packets and Bytes are not
increased, the packet didn't match.
You could check that yourself: Just try to make a ssh connection from the
server in question and see how the Packets/Bytes counter increase.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050626/5b76ed9c/attachment.bin
More information about the freebsd-pf
mailing list