7
votes
Accepted
Should changing firewall settings to block all interrupt ongoing ssh session
"Should changing firewall settings to block all interrupt ongoing ssh session"
The answer is, maybe. It depends on the precise rules, where the block all appears, and whether existing SSH ...
- 35.8k
6
votes
How to setup simple port forwarding on macOS with pf? "Rules must be in order: options, normalization, queueing, translation, filtering"
As the error message states, you need to add your rdr rule next to the other translation rules on pf.conf. Since there is already a rdr anchor present, the best bet is to put your rdr rule right after ...
- 2,322
4
votes
NAT outbound IPSEC packets using pf on FreeBSD 11 and StrongSwan x FortiGATE
After several days struggling I've been able to handle this doing the following steps and will post the solution here to help others
Get the unique ID of the desired SA you want to nat source to, ...
- 101
3
votes
Is there a difference between re0 and wlan0?
On FreeBSD the device names are given by the driver, which handles the device.
So when you have a RealTek NIC it is controlled by the re driver and to separate multiple NICs which are controlled by ...
- 9,881
3
votes
Accepted
openbsd: Allow access to a certain interface only to root
Untested, but
block quick on urndis0
pass on urndis0 proto {tcp, udp} user 0
should do the trick.
From pf.conf's man page:
user user
This rule only applies to packets of sockets owned by ...
- 2,322
2
votes
Accepted
How does route-to work in the BSD pf firewall?
Pf's route-to allows to define policy-based routing (PBR) using the same firewall's ruleset. The PBR itself is then being done at kernel-level during traffic processing according to firewall ruleset ...
- 6,414
2
votes
Accepted
pf not stopping bruteforce attempts
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-...
- 356k
1
vote
PF Firewall: Restrict Access to Other Ports Only for Clients with Active SSH Connections
What you are describing sounds a lot like OpenBSD's authpf. I don't think it is available for macOS, assuming you mean you want to control macOS's firewall. If you mean opening ports to macOS clients ...
- 2,322
1
vote
Accepted
How to set up a firewall for testing web applications in a virtual machine?
This seems a little counter intuitive to me in how you're approaching it. Typically you'd setup the firewall on the actual server where the web application is residing.
If you're using firewalld this ...
slm♦
- 380k
1
vote
bsd packet filter on Solaris, why ping not allowed?
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you ...
- 111
1
vote
Is there a difference between re0 and wlan0?
ifconfig tells me my wireless interface is wlan0, while re0 does not even turn up in ifconfig's output.
The re0 is the name of the Ethernet interface (using the realtek driver re).
The wlan0 is the ...
- 69.9k
1
vote
Accessing ports on public IP from within a FreeBSD jail
I know it's been a while since this was asked, but here goes:
What you're describing in the OP is known as "Hairpin NAT." Instead of adding needless load on your gateway however, what you want to do ...
- 11
1
vote
Accessing ports on public IP from within a FreeBSD jail
To answer my own question, I got it to work using the following firewall configuration:
# Allow dynaserv jail to access git on https port of web jail
pass in on lo1 proto tcp from $ip_jetty to $...
1
vote
Accepted
Isssues forwarding port / Nat on openbsd
You don't need the binat rule.
pass in on $ext_if proto tcp to $(ext_if) port 80 rdr-to 192.168.5.17
pass out on $int_if proto tcp to 192.168.5.17 port 80
should suffice. Note that this last rule is ...
- 2,322
1
vote
Bridging Ethernet Interface on OpenBSD and Other Problems
Some thoughts/questions:
You can't assign an IP to a bridge, you assign it to one (or more) of the interfaces in it.
For the same reason, you can't filter on a bridge interface.
Why are you bridging ...
- 2,322
1
vote
Accepted
Openbsd wireguard to wireguard
First you need to make sure wg1 is the egress interface on the VPS (i.e., that all traffic TO the internet will go out on that interface. This can be achieved by setting the remote end of wg1 as the ...
- 2,322
1
vote
Accepted
PF states table give preoccupant results
The second line doesn't mean that someone is logged in, it merely indicates that someone made a connection to the port. After connecting, the client will then try to authenticate itself, using the ...
- 2,322
1
vote
Modifying firewall rules with pfctl on NetBSD 4
Looking at /etc/rc.d/pf on NetBSD 4.0 (or even in 9.0) the pf_reload function simply runs pfctl -q -f /etc/pf.conf so it would seem that flushing old rules is unnecessary.
To manually flush all rules ...
1
vote
Accepted
Howto block all SSH connection attempts coming in from $extif
Block or pass rules always need to come after NAT and redirections.
You have an in too much (or misplaced). It is simply block on $ext_if. And if you want to bypass further processing block quick on $...
- 3,609
1
vote
Convert iptables rules to pf
With that info, it could be something like this, where x would be the ips:
nat pass on eth0 proto tcp from x.x.x.x/24 to any port 443 rdr-to x.x.x.x port 8080
from would specify the source.
to the ...
- 563
Only top scored, non community-wiki answers of a minimum length are eligible