J jkuiper May 11, 2015 #1 I have this rule Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to any port { ssh } keep state #pass in proto tcp to any port ssh keep state If I fill in a public IP on xx.xx.xx.xx will the SSH only be available to that IP?
I have this rule Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to any port { ssh } keep state #pass in proto tcp to any port ssh keep state If I fill in a public IP on xx.xx.xx.xx will the SSH only be available to that IP?
DutchDaemon Administrator Staff member Administrator Moderator Developer May 11, 2015 #2 If other rules block everyone else, yes .. But you need a blocking rule somewhere.
K kpa May 11, 2015 #3 Don't allow traffic to destination any in your rules, use a more strict rule with something like: Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to ($ext_if) port ssh If you have NAT in place and the destination is on a LAN host the rule becomes: Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to $lan_host port ssh The keep state option is on by default in PF so you can omit it.
Don't allow traffic to destination any in your rules, use a more strict rule with something like: Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to ($ext_if) port ssh If you have NAT in place and the destination is on a LAN host the rule becomes: Code: pass in on $ext_if proto tcp from xx.xx.xx.xx to $lan_host port ssh The keep state option is on by default in PF so you can omit it.
