-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/9/07 3:22 AM, Joachim Schipper wrote:
>> # Allow quick valid traffic to ssh but log all attempts as well
>> pass in log quick on $unpro inet proto tcp from ! <scanners> \
>> to $unpro port ssh $SSH_LIMIT
>
> Skip '! <scanners>' unless it's intended as documentation; you have
> already filtered this traffic in the rule above.
>
> It's not surprising that this rule fails to limit ssh connections to
> another host; that's what 'to $unpro' tells pf to do, after all.
Couple of clarification questions:
1. When you say "skip" something, you mean just delete the string '!
<scanners>' and not the whole rule, correct?
If you
> do remove 'to $unpro', you might want to add something like 'from !
> $unpro:network'. (Do note that 'from ! { $unpro:network <scanners> }' is
> legal syntax, but not sensible.)
2. Shouldn't it be 'to $unpro:network' here since we're substituting one
'to' condition with another?
Thanks -- your comments make great sense.
dn
iD8DBQFGu03dyPxGVjntI4IRAhPoAKDW76FJ9ftepAkjUmDEnQglo0GLVACg7AV9
OzXICCdBU1TMBG3UyCbBOH4=
=yHYM
-----END PGP SIGNATURE-----
