PF question

Jon Radel jon at
Fri Feb 10 23:13:39 UTC 2017

On 2/10/17 5:50 PM, Doug Niven wrote:

> The following PF rule successfully blocks out "off campus" traffic to
> port 22, but it only blocks it if the interface name is "en0"

??  OK, one of us is a bit confused--might be me though.

That should already block all inbound traffic to port 22 on any
interface with a single exception:  The only traffic that is *allowed*
is that arriving on en0 from an address in <friendlies> to an interface
address on en0.

Are you actually seeing allowed traffic on other interfaces port 22?

> How can I tweak this so it will block out port 22 for ANY/ALL
> interfaces on the host, even if I don't know their names?

Like this:

block in proto tcp from any to any port {22}

If you don't specify one or more interfaces it applies to all
interfaces, which why PF rulesets generally a pretty permissive rule
somewhere for loopback interface(s); all sorts of things break if you
filter your loopback interface(s)....

>      table <friendlies> { 111.222.0/16, 222.333.0.0/16 } persist
>      block in proto tcp from any to any port {22}
>      pass in on en0 proto tcp from <friendlies> to (en0) port {22}
> flags S/SA keep state

Or are you asking how to selectively *allow* inbound ssh traffic to
interfaces other than en0?

--Jon Radel
jon at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the freebsd-questions mailing list