03.06.2015-18:19:56 :: Remember, remember, the velvet November


node:	03.06.2015-18:19:56
template:	4
parent:	macOS
owner:	schrapnel
viewed by:
created:	03.06.2015 - 18:19:56

cwbe coordinatez:
101
63540
63542
2109677
1857521
7928822

ABSOLUT
KYBERIA

permissions
you:	r,
system:	public
net:	yes

Ahoj, niekto skusenosti s Yosemite firewall? Potrebujem povolit incoming ssh pre vsetky interface-y. Pripajam mac do VPN, ale debilny firewall mi blokuje pristup na tun0 interface. Nmap hlasi port ako filtered. Ked vypnem mac firewall, tak connection funguje. Diky za kazdu radu.

tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN

white:~ schrapnel$ ssh 10.8.0.10
Password:

z vonku:
ssh: connect to host 10.8.0.10 port 22: Connection timed out |

Nmap scan report for macbookPro-vpn (10.8.0.10)
Host is up (0.095s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp filtered ssh

00000101000635400006354202109677018575210792882207929153

velmi jednoduse to jde takhle: https://support.apple.com/kb/PH18726?locale=en_US

0000010100063540000635420210967701857521079288220792915307929466

ja ssh mam pristupne na interface pre wifi a en0. Ale nie pre tun0, ktory je virtualny interface VPNky.

000001010006354000063542021096770185752107928822079291530792946607929553

hod sem obsah /etc/pf.conf

00000101000635400006354202109677018575210792882207929153079294660792955307929613

cat /etc/pf.conf | grep -v '^#'

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

cat /etc/pf.anchors/com.apple
#
# com.apple ruleset, referred to by the default /etc/pf.conf file.
# See notes in that file regarding the anchor point in the main ruleset.
#
# Copyright (c) 2011 Apple Inc. All rights reserved.
#

#
# AirDrop anchor point.
#
anchor "200.AirDrop/*"

#
# Application Firewall anchor point.
#
anchor "250.ApplicationFirewall/*"

0000010100063540000635420210967701857521079288220792915307929466079295530792961307929642

vygidor 04.06.2015 - 14:56:53 (modif: 04.06.2015 - 15:02:28), level: 5, UP NEW !!CONTENT CHANGED!!

Re[5]: 03.06.2015-18:19:56

som na to sice noob, ale sipim, ci to nie je chybajuce/zle pravidlo/anchorset (alebo zle umiestnene - za drop-mi) v ruloch pre ten nut0 interface.

skus tam pridat
pass in proto tcp from any to any port 22
reloadni cez
sudo pfctl -vnf /etc/pf.conf a restartni.

mozno som uplne mimo, ale primarne mi to pripada, ze na tun0 interface to dropuje, nevidim ho ani v tom tvojom nestat outpute.

edit: este som zabudol, ze by som checkol com.apple/250.ApplicationFirewall, co vsetko je tam nastavene na drop. vecer pozriem na svojom.

000001010006354000063542021096770185752107928822079291530792946607929553079296130792964207930175

nj, k tomu rieseniu som sa postupom casu tiez dopracoval, ale nefunguje to :( stale fileterd.

00000101000635400006354202109677018575210792882207929153079294660792955307929613079296420793017507930198

uff :/

daj to na stackoverflow .)