Here is some output from the real lab (the hosts fw.test, inside.test and dmz.test are all FreeBSD VMs now). Any comments? Why does the state in the second case look so odd?
root@fw:~ # cat /etc/rc.conf.local hostname="fw.test" ifconfig_vtnet0="DHCP description Outside" ifconfig_vtnet1="172.16.1.1/24 description DMZ" ifconfig_vtnet2="192.168.10.1/24 description Inside" pf_enable="YES" gateway_enable="YES" root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:41985 ESTABLISHED:ESTABLISHED root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... Connected to dmz.test. Escape character is '^]'. SSH-2.0-OpenSSH_7.5 FreeBSD-20170903 ============================================================= ================ and here we enable the "block ..." rule ==== ============================================================= root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state root@fw:~ # root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:50565 CLOSED:SYN_SENT root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... telnet: connect to address 172.16.1.10: Operation timed out telnet: Unable to connect to remote host -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
