PF one soruce ip allow ssh

bsd_gkn

New Member


Messages: 16

Hello

I just want to get SSH access from an ip address. How do I configure PF for this?


pass in on vtnet0 inet proto tcp from x.x.x.x to any flags S/SA keep state
block drop in on vtnet0 proto tcp from any to any port = ssh


Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,944
Messages: 28,894

PF doesn't stop processing when it matches a rule and the last hit tells it to block. Either add the quick keyword to your pass rule or change the order.
 
OP
OP
bsd_gkn

bsd_gkn

New Member


Messages: 16

Very thanks.


scrub in all fragment reassemble
pass out all flags S/SA keep state
block drop in log all
pass in on vtnet0 inet proto tcp from X.X.X.X to any flags S/SA keep state
pass in on vtnet0 inet proto tcp from any to any port = ssh flags S/SA keep state
pass in on vtnet0 inet proto icmp from X.X.X.X to any keep state


I learned. First I blocked all incoming traffic. I've allowed outgoing traffic. So I just write the transition rule to all the rules I have built on it.

Now I'm curious about:

  1. How do I block portscan?
  2. How can I write a single rule to multiple ports?
(For example: assign a variable to tcp ports like 25,22,21
I want to allow one rule.)


12.0-RELEASE
 

danger@

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 364
Messages: 987

you don't need PF for that, you can configure that in sshd_config(5) with the AllowUsers directive, or even with hosts.allow(5), although the pf approach would be more secure.
 
OP
OP
bsd_gkn

bsd_gkn

New Member


Messages: 16

Hello

thanks for the answer. I did it using PF. Now I'm trying to block the ip address at the country level. Unfortunately we cannot use the geoip here.


block in log all
pass in on $ext_if inet proto icmp from <trust> to any keep state
 

T-Daemon

Active Member

Reaction score: 60
Messages: 201

Now I'm trying to block the ip address at the country level. Unfortunately we cannot use the geoip here.
Maybe the method described in this article is an option for blocking traffic with PF by country ip’s. Also take a look at the comments.
 
Top