I made a mistake, in fact I deny access by default even to those ports that
are normally available from localhost.
I did this because I see nothing listening to those ports, and gnome is
running through sockets.
I just don't understand why the range tcp 6000:6010 shall be available from
localhost.
Everything runs perfectly with the rule
"block in all" instead of "block in on ! lo0 proto tcp to port 6000:6010"
Necessary ports are opened individually, of course.
Rgd
JF
Le dimanche 29 ao{t 2010 20:59:11, TeXitoi a icrit :
> ropers <rop...@gmail.com> writes:
> > I don't understand. Why are you not running a default deny setup?
>
> Maybe because this pf.conf is the default one.
>
> > On 29 August 2010 14:45, Jean-Francois <jfsimon1...@gmail.com> wrote:
> > > Hi,
> > >
> > > One question, I run gnome on openbsd 4.7 and apparently there is
> > > no reason to keep the following rule since nothing listens to
> > > those ports on my machine.
> > >
> > > block in on ! lo0 proto tcp to port 6000:6010
> > >
> > > I verified with netstat that there is nothing listening to any of
> > > tcp ports in the range 6000-6010.
> > >
> > > May you please confirm that there is no security issue with
> > > removing this rule ?
>
> Why do you want to remove it? If you don't need, don't remove it. If
> You want to modify pf.conf, better to use a default block and allow
> only the necessary.
