On Mon, Oct 06, 2008 at 02:33:38PM +0300, Giorgos Keramidas wrote:
> On Mon, 6 Oct 2008 00:26:11 -0700, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote:
> >> block drop all
> >>
> >> looks fairly magical to me.  Stick that at the top of your ruleset as
> >> your default policy, add more specific rules beneath it to allow the
> >> traffic you do want to pass, and Robert is your Mother's Brother.  No
> >> more floods of RST packets.
> >
> > This is incredibly draconian.  :-)  I was trying my best to remain
> > realistic.
> Yes this is a bit draconian, but it is also pretty ``realistic'', as in
> ``it works fine if all you need is a very basic, but strict firewall''.
> I run my laptop with a `pf.conf' that (putting most of the comments and
> other disabled rules for one-off tests aside) looks pretty much like:
>   set  block-policy drop
>   set  require-order yes
>   set  skip on lo0
>   scrub        in  all
>   block        in  all
>   block        out all
>   pass         in  quick proto icmp all
>   pass         out quick proto icmp all
>   pass         out proto { tcp, udp } all keep state

A couple things to point out here:

First, ICMP rules coming first (especially with "quick") might not be
ideal; ICMP is often considered a "last resort" protocol, meaning TCP
and UDP packets should have priority over it.  It all depends on what
you want, but this is often the industry norm.

Second, and much more importantly, if you're on RELENG_7, "keep state"
serves no purpose here; "flags S/SA" is implicit on TCP rules, and "keep
state" is implicit in TCP, UDP, and ICMP rules.

If you're using RELENG_6, then your above rules have a serious problem:
you're tracking state for all outbound packets regardless of flags, and
not just initial setup (SYN).  This is Very Bad(tm).  In that case, you
should use these rules instead:

  pass out proto tcp all flags S/SA keep state
  pass out proto udp all keep state
  pass out proto icmp all keep state

I've never gotten a definite answer as to what happens if you use "flags
S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol.
That's why I split them up per protocol on RELENG_6 boxes.

Happy firewalling!  :-)

| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to