[Dshield] OpenBSD 3.1/pf

millerbn millerbn at chiba.dhs.org
Mon Aug 5 20:36:21 GMT 2002


#       $OpenBSD: pf.conf,v 1.3 2001/11/16 22:53:24 dhartmei Exp $
#
# See pf.conf(5) for syntax and examples
#
# If you change this file, flush current filter rules & reload:
#    /sbin/pfctl -F rules && /sbin/pfctl -R /etc/pf.conf
#
# Global Variables
#
internal = "we1"
external = "we0"
nonroutable = "{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }"
protocols = "{ tcp, udp, icmp }"
netbios = "{ netbios-ns, netbios-dgm, netbios-ssn }"
#
# Options
#
scrub out all
scrub in  all
block in from no-route to any
#
# Loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
#
# Protected
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any
#
# External
#
block out log quick on $external from ! 65.187.137.49 to any
#
pass out quick on $external inet proto tcp from any to 10.5.1.2/32 flags S/SA modulate state
block in log quick on $external from $nonroutable to any
block return-icmp out quick on $external from any to $nonroutable
#
block in log quick on $external inet proto tcp from any to any flags FUP/FUP
block in log quick on $external inet proto tcp from any to any flags SF/SFRA
block in log quick on $external inet proto tcp from any to any flags /SFRA
#
block in log quick on $external inet proto icmp from any to any icmp-type redir
pass in quick on $external inet proto icmp from any to any icmp-type { echorep, echoreq }
#
pass in quick on $external inet proto tcp from any to any port smtp flags S/SA modulate state
block in quick on $external inet proto { tcp, udp } from any to any port $netbios
block return-rst in quick on $external inet proto tcp from any to any port auth flags S/SA
#
#block in quick on $external inet proto tcp from any port www to any port 1024 >< 65535
#
pass out quick on $external inet proto tcp from any to any flags S/SA modulate state
pass out quick on $external inet proto { udp, icmp } from any to any keep state
#
block in log quick on $external inet proto $protocols from any to any
block in log quick on $external all
#
block in log quick all
#
#  End of file

On Mon, 5 Aug 2002 06:51:04 +0200, you wrote:

>On Sun, Aug 04, 2002 at 01:05:12PM -0500, millerbn wrote:
>>On Sat, 3 Aug 2002 22:56:11 +0200, you wrote:
>>
>>>On Sat, Aug 03, 2002 at 02:00:21PM -0500, millerbn wrote:
>>>>pass in quick on $external inet proto tcp from any to any port
>>>>$services flags S/SA keep state
>>>
>>>In as comming from the network going IN to the interface.
>>>
>>>>The mail log does show that there was an outgoing email to the
>>>
>>>"outgoing mail", so the rule you show does not match the
>>>blocked traffic.
>>>
>>>Send your full pf.conf and nat.conf and someone might be able
>>>to help you. And maybe this is better on misc at openbsd.org ?
>>>
>>>
>>Guess I should have included "return" between legitimate traffic
>>in the prior message.
>
>That was exactly my point. Traffic goes out a TCP packet with
>SYN. The reply is a TCP packet with SYN+ACK. The rule you show
>only allow a TCP packet with SYN and not SYN+ACK. You are missing
>a "pass out on $external protot tcp all keep state" but that is
>impossible to see has you have given absolutley no info about:
>
>- Your network layout
>- Your compleate packet filter
>- Your blocking policy
>
>>The timestamps for outgoing mail logs preceeded the pf logs and
>>they were blocked coming in to the interface.  I assumed most of
>>the readers were used to firewall logs and might be quicker at
>>spotting latent packets, which was my first guess - just wanted
>>a little reassurance; also hoped someone would spot a mistake
>>that I had missed if there was one.
>
>Your misstake is that you provide no info.
>




More information about the list mailing list