Re: Dumb pf.conf question
- Reply: George Mitchell : "Re: Dumb pf.conf question"
- In reply to: George Mitchell : "Dumb pf.conf question"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 05 Jun 2022 14:51:20 UTC
On 2022-06-04 13:05, George Mitchell wrote: > Due to an execss (to put it politely) of packets originating from > IPv4-address-that-shall-not-be-mentioned, I decided to fix up my > pf.conf file, which in very general terms looks like this: > > (a bunch of macro definitions: ext_if = external interface, > int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120, > internal_net = 10.0.0.0/8) > (a couple of table definitions) > (no options, traffic normalization, or queueing) > > scrub in all > nat on $ext_if from $internal_net to any -> ($ext_if) > > (a bunch of rdr statements, none of which contain "quick") > > block all > pass quick on lo0 > pass quick on $int_if > > pass quick from $internal_ipv6 > pass quick to $internal_ipv6 > > #nuisance ssh logins > block quick on $ext_if from (nasty address) > > (lots more packet filtering rules that work) > > But that next-to-last line is not stopping packets from nasty address. > What did I do wrong? Unknown. BUT as (pf) policy goes; block all should get it. Wherein only those FOLLOWING that PASS should get through. I can't see your pf.conf(5) to evaluate it. But if you follow the rules and order as explained in pf.conf(5) && pf(4) my above assertion should hold true. What's your block-policy? Judging by the (overall) order you indicate above. I think your "STATEMENT ORDER" is wrong, leading to your problem. Check man 5 pf.conf, paying close attention to the order of: STATEMENT ORDER HTH Chris