Environment: one NIC and
sshd LISTENing on all interfaces.
Code:
# ifconfig bge0 | grep inet
inet 192.168.222.240 netmask 0xffffff00 broadcast 192.168.222.255
inet 192.168.222.241 netmask 0xffffffff broadcast 192.168.222.241
# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.22 *.* LISTEN
# cat /etc/pf.conf
EXT_IF = bge0
#set skip on lo0
block log all
pass in quick on $EXT_IF inet proto tcp from ! $EXT_IF to $EXT_IF port ssh
# pfctl -vvf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
Loaded 700 passive OS fingerprints
EXT_IF = "bge0"
@0 block drop log all
pass in quick on bge0 inet proto tcp from ! 192.168.222.240 to 192.168.222.240 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.240 to 192.168.222.241 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.241 to 192.168.222.240 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.241 to 192.168.222.241 port = ssh flags S/SA keep state
Check whether any skip rules are in effect:
Code:
# pfctl -vs Interfaces
No ALTQ support in kernel
ALTQ related functions disabled
all
bge0
lo
lo0
lo1
pflog
pflog0
usbus0
usbus1
No skipped interfaces and the logins fail:
Code:
# ssh 192.168.222.240
ssh: connect to host 192.168.222.240 port 22: Operation not permitted
# ssh 192.168.222.241
ssh: connect to host 192.168.222.241 port 22: Operation not permitted
Flush the rules, enable the skip, reload and retry the
ssh attempts:
Code:
# pfctl -F all
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
# vi /etc/pf.conf
# pfctl -vvf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
Loaded 700 passive OS fingerprints
EXT_IF = "bge0"
set skip on { lo0 }
@0 block drop log all
pass in quick on bge0 inet proto tcp from ! 192.168.222.240 to 192.168.222.240 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.240 to 192.168.222.241 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.241 to 192.168.222.240 port = ssh flags S/SA keep state
pass in quick on bge0 inet proto tcp from ! 192.168.222.241 to 192.168.222.241 port = ssh flags S/SA keep state
# pfctl -vs Interfaces
No ALTQ support in kernel
ALTQ related functions disabled
all
bge0
lo
lo0 (skip)
lo1
pflog
pflog0
usbus0
usbus1
With the loopback skip enabled we can login:
Code:
# ssh 192.168.222.240
The authenticity of host '192.168.222.240 (192.168.222.240)' can't be established.
ECDSA key fingerprint is c0:8c:10:32:8d:ab:1c:99:3c:9f:5d:67:31:33:96:f8.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
# ssh 192.168.222.241
The authenticity of host '192.168.222.241 (192.168.222.241)' can't be established.
ECDSA key fingerprint is c0:8c:10:32:8d:ab:1c:99:3c:9f:5d:67:31:33:96:f8.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
Conclusion: [USER=812]@DutchDaemon[/USER] - [USER=1677]@SirDice[/USER]: 1 - 0
