Re: pf rules

Fri, 22 Jan 2010 02:20:15 -0800 

kalin m wrote:



hi all...

doing testing with pf...

how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25

i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......


pf.conf contetns:

tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"

set skip on lo
scrub in

antispoof for eth0 inet

block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh


Did your ruleset actually load into pf?  If you run:

  # pfctl -nf pf.conf

then any output indicates a problem with your pf.conf.  Also,
you can examine the loaded rule set by:

  # pfctl -sr

This is generated from the pf.conf, but with all the list structures
expanded into separate rules.

You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me:
'eth0' is a linuxism.  There's no such network interface driver
under FreeBSD, and you should probably replace that with the actual name
of the interface out of the list returned by 'ifconfig -l'  You don't really
need the 'inet' bit either -- that will be added automatically, as well as

matching 'inet6' rules if your system is IPv6 capable.  Also, your 
antispoof rules should come /after/ your generic 'block all' rule.


Handy hint: it's good practice when writing pf.conf to define a macro
with the interface name:

$ext_if = "em0"

and then use that macro liberally in your rules.

Hmmm... I suppose pf is actually enabled on your system?  You'ld need
to put:

pf_enable="YES"
pflog_enable="YES"

into /etc/rc.conf to have it start automatically, or if you want to start
things manually, do:

   # kldload pf
   # pfctl -e

(but be careful with that if you aren't logged into the console, as you
can lock yourself out)

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW




Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to