From: Rod.. Whitworth (listenwitworx.com)
Date: Wed Mar 15 2006 - 21:27:06 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have about a dozen OpenBSD firewalls "out there" and most of them are
pretty minimal having a NATted LAN and the only traffic allowed in
(other than replies to outbound) is ssh.

The pf.confs are pretty much modifications of a template one with just
the LAN IPs changing.

The changes in /etc/* are also the same for all of them.

Just one is not getting anything in pflog. pflogd is running. ps auxwww
says:
_pflogd 14121 0.0 0.1 640 244 ?? S 15Feb06 0:21.15
pflogd: [running] -s 116 -f /var/log/pflog (pflogd)

 There are rules like:
block return-icmp in log quick from <ssh-scan>
in there and currently pfctl -t ssh-scan -Ts gives:
   61.134.32.18
   61.175.248.131
   69.60.110.241
   125.246.21.3
   199.227.176.178
   201.20.202.202
   203.200.36.253
   211.155.23.65
   211.162.78.106
   212.74.113.212
   218.108.1.180
   218.206.96.174
   220.117.241.46
   220.117.241.87
   220.119.33.251
   220.132.113.163
   221.224.14.157
So you would expect to see <something> in the pflog as those guys would
have tried at least once after being tabled.

I've been working with too little sleep so I am missing some little
detail but it is a bit embarassing when I try to show a user all the
nasties our log shows as being blocked and the output is null.

Somebody wake me up please. I have looked too long at the forest from
too close up.

From the land "down under": Australia.
Do we look <umop apisdn> from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]