nevermind, i just had to do a pf -e
On 9/2/05, John Kintaro Tate <[EMAIL PROTECTED]> wrote:
> Hey,
>
> I read the pf.conf and the pfctl manpages as I am trying to set up
> some special rules for my OpenBSD Server (3.7).
>
> Basically I want to block connections to my local network from the
> machine unless the user is in the group wheel or is under the username
> "named", for obvious purposes. This server is used for SSH accounts
> for various people and I don't want to put my whole network at risk of
> brute force attacks, etc from their accounts if one gets compromised
> (user leaks password, etc).
>
> The following is my /etc/pf.conf
> -bash-3.00# cat /etc/pf.conf
> # $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> localaddr = "{192.168.1.15 127.0.0.1}"
> if = "xl0"
>
> table <localnet> const { 192.168.1/24 }
> table <banned> persist file "/etc/banned"
>
> block drop in on $if from <banned> to $localaddr
> block drop out on $if from $localaddr to <banned>
>
> block drop out from $localaddr to <localnet>
> pass out from $localaddr to <localnet> group wheel
> pass out from $localaddr to <localnet> user named
>
> ---
>
> Despite that this looks to my eyes like it would work fine, it is
> still letting non-wheel users make connections to the local network.
> From the notion I am guessing that something is wrong and needs
> changing. I was hoping someone on the list would have more experience
> with it (well, obviously any experience is more than mine as I have
> just been dabbling for a few hours) and be able to find the problem.
>
> Whenever I made changes to /etc/pf.conf I executed the following to
> load the new rules...
>
> -bash-3.00# pfctl -F all
> rules cleared
> nat cleared
> 1 tables deleted.
> altq cleared
> 0 states cleared
> source tracking entries cleared
> pf: statistics cleared
> pf: interface flags reset
> -bash-3.00# pfctl -f /etc/pf.conf
>
> ---
>
> Thanks in advance,
> John.
>
> --
> John Kintaro Tate
> Mobile: 0413 348 815 (Yep, old number, but I have a new phone)
>
> Attention all Internet users, is life getting you down? Are you so
> happy you could chainsaw an innocent bystander and LAUGH? Do you
> believe in God? Do you not believe in God? Have you found yourself
> stranded on prehistoric Earth for 5 years? If so, if you do anything
> at all there are people who care at the Kintaro Labs Forum, join now
> and after you reach 50 posts you get a free OpenBSD shell account!
> http://labs.kintaro.noobify.com
>
> Personal Website: http://kintaro.noobify.com
>
--
John Kintaro Tate
Mobile: 0413 348 815 (Yep, old number, but I have a new phone)
Attention all Internet users, is life getting you down? Are you so
happy you could chainsaw an innocent bystander and LAUGH? Do you
believe in God? Do you not believe in God? Have you found yourself
stranded on prehistoric Earth for 5 years? If so, if you do anything
at all there are people who care at the Kintaro Labs Forum, join now
and after you reach 50 posts you get a free OpenBSD shell account!
http://labs.kintaro.noobify.com
Personal Website: http://kintaro.noobify.com
