PF question
Jon Radel
jon at radel.com
Fri Feb 10 23:13:39 UTC 2017
On 2/10/17 5:50 PM, Doug Niven wrote:
> The following PF rule successfully blocks out "off campus" traffic to
> port 22, but it only blocks it if the interface name is "en0"
?? OK, one of us is a bit confused--might be me though.
That should already block all inbound traffic to port 22 on any
interface with a single exception: The only traffic that is *allowed*
is that arriving on en0 from an address in <friendlies> to an interface
address on en0.
Are you actually seeing allowed traffic on other interfaces port 22?
>
> How can I tweak this so it will block out port 22 for ANY/ALL
> interfaces on the host, even if I don't know their names?
Like this:
block in proto tcp from any to any port {22}
If you don't specify one or more interfaces it applies to all
interfaces, which why PF rulesets generally a pretty permissive rule
somewhere for loopback interface(s); all sorts of things break if you
filter your loopback interface(s)....
>
>
> table <friendlies> { 111.222.0/16, 222.333.0.0/16 } persist
> block in proto tcp from any to any port {22}
> pass in on en0 proto tcp from <friendlies> to (en0) port {22}
> flags S/SA keep state
Or are you asking how to selectively *allow* inbound ssh traffic to
interfaces other than en0?
--
--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170210/ca89a509/attachment.bin>
More information about the freebsd-questions
mailing list