Re: Dumb pf.conf question

From: Chris <bsd-lists_at_bsdforge.com>
Date: Sun, 05 Jun 2022 14:51:20 UTC
On 2022-06-04 13:05, George Mitchell wrote:
> Due to an execss (to put it politely) of packets originating from
> IPv4-address-that-shall-not-be-mentioned, I decided to fix up my
> pf.conf file, which in very general terms looks like this:
> 
> (a bunch of macro definitions: ext_if = external interface,
>  int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120,
>  internal_net = 10.0.0.0/8)
> (a couple of table definitions)
> (no options, traffic normalization, or queueing)
> 
> scrub in all
> nat on $ext_if from $internal_net to any -> ($ext_if)
> 
> (a bunch of rdr statements, none of which contain "quick")
> 
> block all
> pass quick on lo0
> pass quick on $int_if
> 
> pass quick from $internal_ipv6
> pass quick to $internal_ipv6
> 
> #nuisance ssh logins
> block quick on $ext_if from (nasty address)
> 
> (lots more packet filtering rules that work)
> 
> But that next-to-last line is not stopping packets from nasty address.
> What did I do wrong?
Unknown. BUT as (pf) policy goes; block all
should get it. Wherein only those FOLLOWING that PASS should get through.
I can't see your pf.conf(5) to evaluate it. But if you follow the rules
and order as explained in pf.conf(5) && pf(4) my above assertion should
hold true.
What's your block-policy? Judging by the (overall) order you indicate above.
I think your "STATEMENT ORDER" is wrong, leading to your problem.
Check man 5 pf.conf, paying close attention to the order of:
STATEMENT ORDER

HTH

Chris