sshd and my firewall (ipf)
Gerald Combs
gerald at ethereal.com
Thu May 16 19:07:15 CDT 2002
On Tue, 16 Jul 2002, Marvin Bellamy wrote:
> I hope this makes it to the list. I just closed my work account until I
> can reopen it from my home email account. I'm trying to open up my
> firewall to ssh clients on the public internet. However, one of the
> following rules blocks ssh sessions:
>
> block return-rst in on ep0 proto tcp from any to any flags S/SA
> block return-rst in on ep0 proto tcp from any to any port=auth flags S/SA
>
> Even adding these rules, it continues to drop ssh packets:
>
> pass in on ep0 proto tcp from any to 0/32 port = ssh flags S/SA keep state
> pass in on ep0 proto udp from any to 0/32 port = ssh
Are the "pass" rules listed before or after the "block" rules? Ipfilter
(and pf) use the _last_ rule that matches; if your block rules are listed
after your match rules they'll be the ones that apply. You can force
processing to stop on a particular rule with the "quick" option, e.g.
pass in quick on ep0 proto tcp from any to any port = ssh keep state
> Question #2, what do other users do with the IPs you see in scans of
> your system?
These aren't port scans, but this is what I do with the addressesses of
people who try to harvest email addresseses from my site:
http://www.ethereal.com/spamreport.html
You could also run LaBrea to slow down any Code Red/Nimda infected hosts
that are still around: http://www.hackbusters.net/LaBrea/.
More information about the Kclug
mailing list