phusion2k
July 19th, 2004, 09:47
Hi, I've been having a problem with OpenBSD pf logging port 22 traffic. Here is some of my pf.conf file. Let me know what you think. Thanks.
######################
# Packet Filtering
######################
# Rules for internal interfaces
######################
# pass on unfiltered interfaces
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A
# block everything by default
block
block return-rst inet proto tcp
block return-icmp inet proto udp
# Rules for external interface
######################
# silently drop broadcasts
block in quick on $ext_if inet from any to { 255.255.255.255 }
# block incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from <unroutable> to any
# block outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any
# ICMP
# internal hosts can send icmp queries and accept echo replies to external hosts
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type $icmp_types $icmp_options
# UDP
pass out on $ext_if inet proto udp from any to any \
$udp_options
pass in on $ext_if inet proto udp from any to $ext_if \
port $udp_services $udp_options
# TCP
pass in log on $ext_if inet proto tcp from any to $ext_if \
port 22 $tcp_options
pass out on $ext_if inet proto tcp from $ext_if to any \
$tcp_options
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services $tcp_options
######################
# Packet Filtering
######################
# Rules for internal interfaces
######################
# pass on unfiltered interfaces
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A
# block everything by default
block
block return-rst inet proto tcp
block return-icmp inet proto udp
# Rules for external interface
######################
# silently drop broadcasts
block in quick on $ext_if inet from any to { 255.255.255.255 }
# block incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from <unroutable> to any
# block outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any
# ICMP
# internal hosts can send icmp queries and accept echo replies to external hosts
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type $icmp_types $icmp_options
# UDP
pass out on $ext_if inet proto udp from any to any \
$udp_options
pass in on $ext_if inet proto udp from any to $ext_if \
port $udp_services $udp_options
# TCP
pass in log on $ext_if inet proto tcp from any to $ext_if \
port 22 $tcp_options
pass out on $ext_if inet proto tcp from $ext_if to any \
$tcp_options
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services $tcp_options