FreeBSD Firewalls
James B. Byrne
byrnejb at harte-lyne.ca
Thu Dec 8 21:44:47 UTC 2016
I am experimenting with PF. I have a basic configuration working. At
least I have not cut myself off from the system, yet.
I connect to the experimental host via ssh -X. On that host I
have these PF rules:
. . .
# If you cannot trust yourself then who can you trust?
set skip on lo0
# scrub incoming packets
match in all scrub (no-df)
# Block everything but recall that last match applies
block all
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# Block untrusted ips on control channels
block return in quick on $int_if proto tcp from ! $trust_clients to
$int_if port $tcp_control
. .
# diagnostics
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
keep state
# system admin channels - keep these at the end
pass in proto tcp from $localnet to any port $tcp_control keep state
pass out proto tcp to any port $tcp_control keep state
With these rules in effect when I run gvim from the sh -X session on
the FreeBSD host I get this error:
gvim /etc/pf.conf
backupdir=~/.vim/tmp
E233: cannot open display
Press ENTER or type command to continue
If the firewall is not enabled then the gvim X-window opens on my
remote desktop (gnome2) without error.
What ports, besides 22, is gvim trying to open? Why is this traffic
not passed (tunnelled) along the established ssh connection?
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the freebsd-questions
mailing list