[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastion host



My apologies, my previous reply was sent as HTML.
If i'm reading this correctly you are blocking all
incoming packets except for allowing this host to ssh
back to itself. Is this really what you want to do?
Regards
Simon
 --- Martin Randall <[email protected]>
wrote: 
> Hello.
> 
> I was following the instructions in building
> firewalls with openbsd 
> appendix C.2 Bastion host II (some access allowed).
> 
> The reason, I just wanted to log any sweeps,
> connections internally to the 
> machine.
> 
> When I turn it on
> 
> pfctl -e -f /etc/pf.conf
> 
> It locks vereything out and there is no logging in
> /var/log/pflog0
> 
> This is the code as per the book with comments
> removed.  I changed the 
> ext_if to my nic
> 
> ext_if="fxp0"
> 
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
> 
> scrub in all
> scrub out all
> 
> block in log all
> 
> pass out quick on $ext_if inet \
> from ($ext_if) to any flags S/SA keep state
> 
> pass in quick on $ext_if inet proto tcp \
> from ($ext_if) \
> to ($ext_if) port 22 \
> flags S/SA synproxy state
> 
> antispoof for $ext_if
> 
> 
> Why doesn't this work ?
> 
> What is the fix/solution ?
> 
> Regards...
>  
-----------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com