[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastion host

On 1 Mar 2005 06:11:23 -0800, [email protected] (Martin Randall)
>pfctl -e -f /etc/pf.conf
>It locks vereything out and there is no logging in /var/log/pflog0
Drink directly from the logging interface using
tcpdump -l -e -t -i pflog0
the 'l' flag is important, season with -n if appropriate. 
>This is the code as per the book with comments removed.  I changed the 
>ext_if to my nic
>set require-order yes
>set block-policy drop
Change that to 
set block-policy return 
until you have a working policy. 
>set optimization normal
>set loginterface none
>scrub in all
>scrub out all
>block in log all
block log all will suffice
>pass out quick on $ext_if inet \
>from ($ext_if) to any flags S/SA keep state
>pass in quick on $ext_if inet proto tcp \
>from ($ext_if) \
change this to !($ext_if)
>to ($ext_if) port 22 \
>flags S/SA synproxy state
>antispoof for $ext_if
get rid of this until you have a working policy. 
Yeah - straight from the top of my dome 
As I rock, rock, rock, rock, rock the microphone