-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/9/07 10:24 AM, David Newman wrote:
> On 8/9/07 3:22 AM, Joachim Schipper wrote:
>
>>> # Allow quick valid traffic to ssh but log all attempts as well
>>> pass in log quick on $unpro inet proto tcp from ! <scanners> \
>>> to $unpro port ssh $SSH_LIMIT
>> Skip '! <scanners>' unless it's intended as documentation; you have
>> already filtered this traffic in the rule above.
>
>> It's not surprising that this rule fails to limit ssh connections to
>> another host; that's what 'to $unpro' tells pf to do, after all.
>
> Couple of clarification questions:
>
> 1. When you say "skip" something, you mean just delete the string '!
> <scanners>' and not the whole rule, correct?
>
>
> If you
>> do remove 'to $unpro', you might want to add something like 'from !
>> $unpro:network'. (Do note that 'from ! { $unpro:network <scanners> }' is
>> legal syntax, but not sensible.)
>
> 2. Shouldn't it be 'to $unpro:network' here since we're substituting one
> 'to' condition with another?
>
> Thanks -- your comments make great sense.
Sorry, scratch question 2. Obviously 'from' is correct.
Is this what you meant:
pass in log quick on $unpro inet proto tcp \
from ! $unpro:network port ssh flags S/SA \
keep state $SSH_LIMIT
thanks
undercaffeineated dn
iD8DBQFGu07uyPxGVjntI4IRAmDFAJ0Qsd626rzFWWzexZ9AYpgL3/gXZQCg/yyG
b9Syg5d+MNO5t+yAg45t3Dw=
=/g8E
-----END PGP SIGNATURE-----
