View Single Post
  #3   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
Join Date: Sep 2014
Posts: 216

Originally Posted by jggimi View Post
No, it does not. In PF, the last matching rule wins.

The only incoming traffic that is blocked is remote X Terminal traffic (TCP ports 6000-6010), as this is a block that follows your completely wide open pass rule.

The prior block return rule will never be applied, as it will never be the last matching rule.
Please give me a secure configuration which basically drops all incoming and allows outgoing.

#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

## block return         # block stateless traffic
## pass         # establish keep-state
block in all
pass out all keep state

# By default, do not permit remote connections to X11
## block return in on ! lo0 proto tcp to port 6000:6010
I tried the above then reloaded PF but when I launch Transmission and run a nmap scan it still shows port

51413/tcp open  unknown
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote