Here is something that I want to make sure I understand properly. I am
99.9% sure, but as I get so many entry in my logs, it make me want to
verify my understanding a bit. So if someone would kindly correct me
where/if I am wrong, that would be great!
To start with:
scrub in all
as explain in the man page will eliminate all packets with bad flags
combinations, so keeping some type of bad guys away, or broken tcp
stack. Great!
I also understand that when you have quick and keep state in your rules,
obviously the rest of the rules set is skip if a match is found on that
line, so:
pass in quick on bge0 inet proto tcp from any to xx.xx.xx.xx /
port = www flags S/SA keep state (if-bound)
Would create a state when an initial valid connection is coming to your
web server and no more rules are checked from this point.
Now from the man page, this line above for normal traffic would then
create a state in the state table and then traffic back and forth
between this server and the source would skip any rules in the rule set
regardless what they might be, or where they might be as well, as only
the state table is check for this establish connection.
Now, if I have the line below pass the above state creation and I would
get some sampling below in the log entry that would match this rule:
block drop in log quick on bge0 proto tcp from <badguys> to any
Obviously, I believe none of them are any valid entry, but in all cases,
they do represent an attempt to do bad things what ever that might be to
the web server, right?
Now, if a connection is log like theses, it is either a bad guy, or a
very broken tcp stack right? None of theses can be legal traffic can it?
I go with my understanding above and the fact that a legit connection
would and have to first establish that connection with the S flag set,
so testing S/SA would definitely allow all valid traffic even if the
source from it IS in the badguys table following that rule.
Even a sequence of lost connection, or reset connection would need to
re-establish one using the sequence of S/SA flags, etc and then be in
the state table and all is good right?
So, in this configuration, it's impossible that any of the sampling
below is any good or valid traffic right?
Jan 29 11:34:47.917944 rule 16/(match) block in on bge0:
82.233.201.137.3014 > xx.xx.xx.xx.80: F 0:0(0) ack 1 win 63932 <nop,n
op,timestamp 50433 3792622651> (DF) [tos 0x70]
Jan 29 11:35:48.814097 rule 16/(match) block in on bge0: 62.23.142.10.80
> xx.xx.xx.xx.80: . ack 0 win 1400 [tos 0x70]
Jan 29 11:44:41.023136 rule 16/(match) block in on bge0:
82.230.177.22.60232 > xx.xx.xx.xx.80: R 121139167:121139167(0) ack 23
31710162 win 0 (DF) [tos 0x70]
Jan 29 12:44:44.269036 rule 16/(match) block in on bge0:
82.189.216.151.46702 > xx.xx.xx.xx.80: FP 1036024437:1036024705(268)
ack 3791540179 win 5840 <nop,nop,timestamp 33841678 2752966045> (DF)
[tos 0x70]
Jan 29 13:00:21.671963 rule 16/(match) block in on bge0:
212.138.47.23.5943 > xx.xx.xx.xx.80: F 1:1(0) ack 1 win 65535 [tos 0x
70]
Jan 29 13:05:11.674058 rule 16/(match) block in on bge0:
212.138.47.23.5943 > xx.xx.xx.xx.80: R 2:2(0) ack 1 win 65535 [tos 0x
70]
Jan 29 16:58:09.030643 rule 16/(match) block in on bge0:
200.222.138.173.1450 > xx.xx.xx.xx.80: P 0:193(193) ack 1 win 8576 (D
F) [tos 0x70]
Jan 29 18:52:55.017288 rule 16/(match) block in on bge0:
83.77.136.90.49491 > xx.xx.xx.xx.80: RE 3354073858:3354073858(0) win
16896 [tos 0x70]
