Jacob Meuser wrote:
> scrub in on $ext_if all
> block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
> pass out on $ext_if inet proto tcp from { $my_ip(s) } to any modulate state
>
> Does a pretty good job.
For those of you who are LINUX geeks, not OpenBSD geeks, that
stuff Jacob wrote is pf rules. pf is to OpenBSD as iptables
is to Linux: it's the packet filter.
"scrub" means reassemble fragmented packets. Many TCP and IP
implementations get confused by strangely fragmented packets,
and nmap uses those to identify stacks.
"block in ... FUP/FUP" means to drop any incoming TCP packets with
the FIN, URG and PUSH bits all set. nmap creates these (illegal)
packets.
"pass out ... modulate state" means to allow all outgoing TCP
connections, and to use a cryptographically strong improved random
number for the sequence numbers. Some TCP implementations use
predictable sequence numbers, which allows TCP sessions to be
hijacked.
Anyway, I agree with Jake and with the author of the Portsentry
article. Portsentry isn't worth much, and it's easily fooled into
DOS'ing the machine it's running on. Spoof a port scan from a useful
host, and it'll blackhole the useful host. Not helpful.
--
Bob Miller K<bob>
kbobsoft software consulting
http://kbobsoft.com [EMAIL PROTECTED]
