This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.507] default drop not working on local interfaces

I noticed recently that I could SSH from my home firewall to my LAN.
I figured I must have left a PF rule for that on, but when I checked, there was no such rule.

Furthermore, I've now found that I can make TCP connections to any address/any port from the firewall, including ports for which I have no services defined. [:(]

To rule out a bad PF, I've tried adding a PF rule at the top:
source External (Address), any, any, logdrop.

I've disabled my 1 SNAT rule, and double-checked all my DNATs.

But I can still make outgoing connections on random ports.

I can't figure this out; anyone have an idea?

I can give SSH access to Astaro personnel.

I'll attach my iptables output in a minute.

Thanks,
Barry

This thread was automatically locked due to age.

Parents

0 BarryG over 15 years ago

Hi Bob,
That SNAT sounds like it would create traffic that the ISP would drop.

Normally, you MUST create PF's for traffic FROM the firewall, e.g. if I want to ftp or SCP a log file from the firewall to a remote server, I normally create a PF rule for it.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 15 years ago

Hi Bob,
That SNAT sounds like it would create traffic that the ISP would drop.

Normally, you MUST create PF's for traffic FROM the firewall, e.g. if I want to ftp or SCP a log file from the firewall to a remote server, I normally create a PF rule for it.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data