On 2012-01-05, Gregory Edigarov <g...@bestnet.kharkov.ua> wrote:
> On Thu, 5 Jan 2012 09:21:16 +0100
> Rafal Bisingier <ra...@man.poznan.pl> wrote:
>
>> Hi,
>>
>> On Thursday, 05 Jan 2012 at 09:00 CET
>> Robert Wolf <r.wolf.c...@gmail.com> wrote:
>>
>> > ----
>> > table <OutNetworks> const { .... }
>> > pass quick proto tcp from <OurNetworks> to any port 22 no state
>> > pass in quick proto tcp from any to any port 2222 rdr-to 127.0.0.1 port 22
Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port 2222 as well.
>> > block quick proto tcp from any to any port 22
>> > ----
>> >
>> > But of course, the last rule blocks every SSH traffic going from
>> > unknown networks to all hosts.
>> >
>> >
>> > Could someone please help me to create PF rules to block only
>> > traffic going to local machine from other networks as OutNetworks
>> > similary as the iptables rule above?
>>
>> Just replace "to any" to "to self". Should do what you want.
>>
>> > I have read PF manual but not found any possibility to tell pf "to
>> > LOCAL-HOST". I have search with google but no relevant articles
>> > found, maybe I have not asked correct.
>>
>> Well, it's not very easy to find, but the "self" word is explained in
>> the manual.
>
> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load.
Unless enclosed by parentheses; "block proto tcp to (self) port ssh"
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).
