Hallo all,
thank you for your answers.
> > > ----
> > > table <OutNetworks> const { .... }
> > > pass quick proto tcp from <OurNetworks> to any port 22 no state
> > > pass in quick proto tcp from any to any port 2222 rdr-to 127.0.0.1
> > > port 22 block quick proto tcp from any to any port 22
> > > ----
> > >
> > > But of course, the last rule blocks every SSH traffic going from
> > > unknown networks to all hosts.
> >
> > Just replace "to any" to "to self". Should do what you want.
*** YES!:-) That is the keyword I was looking for:-)
> > > I have read PF manual but not found any possibility to tell pf "to
> > > LOCAL-HOST". I have search with google but no relevant articles
> > > found, maybe I have not asked correct.
> >
> > Well, it's not very easy to find, but the "self" word is explained in
> > the manual.
*** Oh I see it now. It is in the TABLES section. I have look for in the
section PACKET FILTERING in the article for syntax of "from port os to port".
> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load.
*** Hmmmm, OK, it is not same as iptables -I INPUT, but at least I can create
one rule without defining IP addresses or interfaces. Great, thank you for for
info.
I have updated my rules to
pass in quick proto tcp from any to (self) port 2222 rdr-to 127.0.0.1 port 22
block quick proto tcp from ! <OurNetwork> to (self) port 22 no state
we use "pass flags any no state" because this machine works as router but I
want to block incoming SSH traffic.
> Surely better to have ssh listen on the additional port if it's needed?
> Whatever reason you have for using PF without keeping state presumably
> applies to port 2222 as well.
*** You are right. I can configure SSH on both 22 and 2222 ports. I want to
have port 22 because of access from our networks with strict firewall allowing
SSH on port 22. But for access from unknown networks I want to have additional
port 2222 open. And I wanted to have as less as possible files changed. I have
changed already pf.conf so I wanted to make updates only in pf.conf. But it's
no problem to update sshd_config too.
> Unless enclosed by parentheses; "block proto tcp to (self) port ssh"
> *is* evaluated each time. However on a router with relatively static
> IP address configuration, it's often helpful to avoid the overhead
> of lookups for each packet (especially if you're not keeping state...).
*** Cool, applied:)
> start with block rule without "quick", then apply pass rules.
> something like this:
> table <OutNetworks> const { .... }
> block proto tcp from any to any port 22
> pass quick proto tcp from <OurNetworks> to any port 22 no state
> pass in quick proto tcp from any to any port 2222 rdr-to 127.0.0.1 port 22
*** This does not work. We have one rule "pass flags any no state" after this
block because the machine is a router and we want to pass everything. If I
move this block after that pass any, it would block every ssh traffic going
through.
The solution with (self) is the best one, I will try to find a little better
solution for all non-SSH packets to be passed before SSH check, something like
==========
pass out quick flags any no state
pass in quick proto ! tcp flags any no state
pass in quick proto tcp from any to any port ! 22 flags any no state
## start sshd on port 22 and 2222 instead ##
## pass in quick proto tcp from any to (self) port 2222 rdr-to 127.0.0.1 port 22
block in quick proto tcp from ! <OurNetwork> to (self) port 22 no state
pass flags any no state
==========
Is this better?
Thank you all for your answers.
Regards,
Robert Wolf.
