Use eg. tcpdump(8) to see what's going on on your interface, but with
these rules you allowed only SSH traffic and nothing more so you
really need to change this. And change your antispoof too because of
this :
NOTE: The filter rules that the antispoof rule expands to will also
block packets sent over the loopback interface to local addresses.
It's best practice to skip filtering on loopback interfaces anyways,
but this becomes a necessity when using antispoof rules:
set skip on lo0
antispoof for fxp0 inet
On Sat, May 8, 2010 at 12:48 AM, x x <tonino-pa...@lycos.com> wrote:
> When I try to run cvs for src/ports/xenocara it doesn't work, but when I
> disable PF it works fine. What is the issue? What port do I allow out to
> install from ports? How can I tighten up my rules?
>
> ext_if = "dc0"
> int_if = "lo0"
>
> block all
> match in all scrub (no-df random-id)
> antispoof quick for { $ext_if, $int_if }
> pass in quick on $ext_if proto tcp from 192.168.1.1 port 22
> pass quick proto tcp from any to any port ssh \
> flags S/SA keep state \
> (max-src-conn 1, max-src-conn-rate 1/60)
> pass out on $ext_if proto tcp from port 22
>
>
--
http://www.openbsd.org/lyrics.html
