Hi.
These are my pf.conf settings:
Two questions. First - is the configuration above for ssh correct?; meaning, there are two references to it, one in "traffic going INSIDE" part and another at the end.
My second question is, why is pf blocking certain NMAP generated packets (such as icmp type 13 [timestamp], or certain tcp packets)? I tried to specify all flags rather than just S/SA as it is by default. In order to make NMAP successfully send all packets I have to disable firewall.
Any help is welcome!
These are my pf.conf settings:
Code:
ext_if="re0"
scrub in on $ext_if all fragment reassemble
block all
set skip on lo0
antispoof for $ext_if inet
### filter spoofs
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
### traffic going OUTSIDE
pass out on $ext_if proto { tcp, udp, icmp } from any to any flags any modulate state
### traffic going INSIDE
pass in on $ext_if proto tcp from any to any port ssh flags S/SA
pass in on tap0
#pass in on $ext_if proto tcp from any to any port www flags S/SA
### prevent brute force on ssh
table <ssh_abuse> persist
block in log quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
Two questions. First - is the configuration above for ssh correct?; meaning, there are two references to it, one in "traffic going INSIDE" part and another at the end.
My second question is, why is pf blocking certain NMAP generated packets (such as icmp type 13 [timestamp], or certain tcp packets)? I tried to specify all flags rather than just S/SA as it is by default. In order to make NMAP successfully send all packets I have to disable firewall.
Any help is welcome!