FreeBSD Firewalls

Matthew Seaman matthew at
Fri Dec 9 12:57:57 UTC 2016

On 08/12/2016 21:44, James B. Byrne via freebsd-questions wrote:
> I am experimenting with PF.  I have a basic configuration working.  At
> least I have not cut myself off from the system, yet.
> I connect to the experimental host via ssh -X.  On that host I
> have these PF rules:
> . . .
> # If you cannot trust yourself then who can you trust?
> set skip on lo0
> # scrub incoming packets
> match in all scrub (no-df)
> # Block everything but recall that last match applies
> block all
> # activate spoofing protection for all interfaces
> block in quick from urpf-failed
> # Block untrusted ips on control channels
> block return in quick on $int_if proto tcp from ! $trust_clients to
> $int_if port $tcp_control
> . .
> # diagnostics
> pass inet proto icmp from $localnet to any keep state
> pass inet proto icmp from any to $ext_if keep state
> # allow out the default range for traceroute(8):
> pass out on $ext_if inet proto udp from any to any port 33433 >< 33626
> keep state
> # system admin channels - keep these at the end
> pass in  proto tcp from $localnet to any port $tcp_control keep state
> pass out proto tcp to any port $tcp_control keep state
> With these rules in effect when I run gvim from the sh -X session on
> the FreeBSD host I get this error:
> gvim /etc/pf.conf
>   backupdir=~/.vim/tmp
> E233: cannot open display
> Press ENTER or type command to continue
> If the firewall is not enabled then the gvim X-window opens on my
> remote desktop (gnome2) without error.
> What ports, besides 22, is gvim trying to open?  Why is this traffic
> not passed (tunnelled) along the established ssh connection?
> Thanks,

A useful trick with pf is to log all of the packets you block, eg:

block log in quick from urpf-failed

You can read the blocked packets from /dev/pflog as if it was a network
interface -- so tcpdump -i pflog will work, but it is more usual to
enable the pflog service which will record the dropped packets to
/var/log/pflog.  This is a pcap file that you can read with tools like
tcpdump or wireshark.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list