1

I'm trying to understand the issue with pf on OS X 10.10 El Capitan.

I have installed sshguard and try to make it work by adding

table <sshguard> persist
block in quick proto tcp from <sshguard>

into /etc/pf.conf.

The problem here is that while pf does recognize the table and IP addresses do get added to that table while sshguard is running, they're never actually being blocked.

It used to work fine before but I cannot remember whether it was on 10.9 or on 10.10 before some update.

The output of pfctl -t sshguard -T show with a "fake" IP:

No ALTQ support in kernel
ALTQ related functions disabled
10.20.30.40

Syslog messages repeating:

sshd[818]: error: PAM: authentication error for admin from 10.20.30.40 via 192.168.1.2
sshguard[799]: 10.20.30.40 has already been blocked
Захар Joe
  • 142
  • 1
  • 10
  • Can you show the table's content with `pfctl -t sshguard -T show`, please ? – Vinz Dec 07 '16 at 13:59
  • I've edited the question. – Захар Joe Dec 07 '16 at 16:48
  • It could be the "via" part though now that I think of it, as the server is actually assigned a local IP (192.168.1.2) and is behind a router that owns the real external IP and is redirecting traffic on all ports to that server. Still, no clue what to do. – Захар Joe Dec 07 '16 at 16:55
  • Do you have any rules before your `block in quick`? Another rule could be preempting it. If you are unsure of interface direction, you can always remove the `in` so it blocks bidirectionally – pete Dec 13 '16 at 23:44
  • Don't think so. For some reason I get no hits on the firewall at all? pf -vvsr shows that Evaluations: 0 Packets: 0 Bytes: 0 States: 0 while on a similarly configured machine I get non-zero evaluations and non-zero "bytes" on an sshguard rule. I'm not sure how to interpret that. – Захар Joe Dec 15 '16 at 20:47
  • It doesn't seem to be related to socketfilterfw configuration as it is the same on both machines. So I guess I just need to understand why Evaluations don't work. – Захар Joe Dec 15 '16 at 20:51

0 Answers0