[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with my config?



<snip>
> > ATTACHMENT part 2 application/octet-stream name=pf.conf.20041015
> 
> I took a look and I can say that you should redesign the whole thing.  The
> common and effective
> strategy is to take a block (in ext_if) by default stance.  Then, still
> common, because it
> makes things simple, you allow all traffic out and keep state on it.
Actually, I already do that. The "block log all" takes care of that.
> This rule is allowing your box to be attacked:
> 
> pass in log on $ext_if proto tcp from any to <protected> port $tcp_in keep
> state
> 
> Where port 22 is included in $tcp_in.  Why are you allowing hosts to connect
> to your box from
> the internet?  Do *you* need to do this?  Very bad idea.  If you must then at
> least make it so
> sshd will not allow root to connect directly (see /etc/ssh/sshd_config and
> look at
> PermitRootLogin parameter).  You may also want to be less open by not using
> the "any" keyword.
Yes I do need this. My boss and I frequently ssh to the computers behind the
firewall.
It's not so much that I'm concerned about the attacks as I am about why traffic
is getting through that shouldn't be. After I added an IP to my block list,
some packets still got through (although most do not).
Thanks,
Joe
=====
"An eye for an eye soon makes the whole world blind."
   --Mahatma Gandhi