FreeBSD Firewalls

James B. Byrne byrnejb at
Thu Dec 8 21:44:47 UTC 2016

I am experimenting with PF.  I have a basic configuration working.  At
least I have not cut myself off from the system, yet.

I connect to the experimental host via ssh -X.  On that host I
have these PF rules:

. . .
# If you cannot trust yourself then who can you trust?
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# Block everything but recall that last match applies
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Block untrusted ips on control channels
block return in quick on $int_if proto tcp from ! $trust_clients to
$int_if port $tcp_control

. .

# diagnostics
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
keep state

# system admin channels - keep these at the end
pass in  proto tcp from $localnet to any port $tcp_control keep state
pass out proto tcp to any port $tcp_control keep state

With these rules in effect when I run gvim from the sh -X session on
the FreeBSD host I get this error:

gvim /etc/pf.conf

E233: cannot open display
Press ENTER or type command to continue

If the firewall is not enabled then the gvim X-window opens on my
remote desktop (gnome2) without error.

What ports, besides 22, is gvim trying to open?  Why is this traffic
not passed (tunnelled) along the established ssh connection?


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list