Hey,
I read the pf.conf and the pfctl manpages as I am trying to set up
some special rules for my OpenBSD Server (3.7).
Basically I want to block connections to my local network from the
machine unless the user is in the group wheel or is under the username
"named", for obvious purposes. This server is used for SSH accounts
for various people and I don't want to put my whole network at risk of
brute force attacks, etc from their accounts if one gets compromised
(user leaks password, etc).
The following is my /etc/pf.conf
-bash-3.00# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
localaddr = "{192.168.1.15 127.0.0.1}"
if = "xl0"
table <localnet> const { 192.168.1/24 }
table <banned> persist file "/etc/banned"
block drop in on $if from <banned> to $localaddr
block drop out on $if from $localaddr to <banned>
block drop out from $localaddr to <localnet>
pass out from $localaddr to <localnet> group wheel
pass out from $localaddr to <localnet> user named
---
Despite that this looks to my eyes like it would work fine, it is
still letting non-wheel users make connections to the local network.
>From the notion I am guessing that something is wrong and needs
changing. I was hoping someone on the list would have more experience
with it (well, obviously any experience is more than mine as I have
just been dabbling for a few hours) and be able to find the problem.
Whenever I made changes to /etc/pf.conf I executed the following to
load the new rules...
-bash-3.00# pfctl -F all
rules cleared
nat cleared
1 tables deleted.
altq cleared
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
-bash-3.00# pfctl -f /etc/pf.conf
---
Thanks in advance,
John.
--
John Kintaro Tate
Mobile: 0413 348 815 (Yep, old number, but I have a new phone)
Attention all Internet users, is life getting you down? Are you so
happy you could chainsaw an innocent bystander and LAUGH? Do you
believe in God? Do you not believe in God? Have you found yourself
stranded on prehistoric Earth for 5 years? If so, if you do anything
at all there are people who care at the Kintaro Labs Forum, join now
and after you reach 50 posts you get a free OpenBSD shell account!
http://labs.kintaro.noobify.com
Personal Website: http://kintaro.noobify.com
