I was configuring a firewall on a FreeBSD server and setting
ssh to be in-house only. The firewall was previously incomplete, so it didn’t surprise me at the start that is was disabled — but it would haunt me later.
I added the following rule for
pass in on $ext_if proto tcp from 192.0.2.0/24 to any port ssh
And then enabled it with these commands.
pfctl -f /etc/pf.conf pfctl -e
Then under testing, I found out that I could always connect from my local machine, I didn’t have to be logged in on the customer’s network.
After a few false starts, and lots of reading to be absolutely sure my
ssh rule was indeed correct (it is) I found the following in the root’s crontab.
*/2 * * * * /sbin/pfctl -d
Every two minutes, it’s disabling the firewall. And surely enough, after removing that
crontab entry, the firewall worked as it should.
The moral of the story is this. Always, always, test what shouldn’t work when setting up firewalls and other security sensitive configurations. Many, if not most, security vulnerabilities comes from people failing to test for the right error messages when configuring security.
If you need professional help with FreeBSD, you can write to firstname.lastname@example.org.