Howto Pass googlebot on Webserver

Mon, 25 Feb 2008 09:30:15 -0800 

Hi Misc@,
While testing my brandnew 4.3-beta AMD64.MP webserver, I apply a simple
pf.conf to let some connection in and all out. But something interesting
came out, pf actually blocks my webserver googlebot apps originated from
the server, which is strange since I use "pass out all". So, I'm wondering
if anybody on Misc@ could help me out with this.
I appreciate any replies related to this.
Thanks,


Insan

A. pf.conf
ext_if="bge0"

set skip on lo
set optimization aggressive
set ruleset-optimization basic
set block-policy drop
scrub in all

antispoof quick for { lo $ext_if }
block log all
pass quick on $ext_if inet proto tcp from any to $ext_if:0 port { http,
https, ssh } keep state
pass quick on $ext_if inet proto udp from abc.def.ghi.241 to $ext_if:0
port snmp
pass inet proto icmp from any to $ext_if:0
pass out log all

B. PFCTL -s rules
scrub in all fragment reassemble
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on bge0 inet6 from fe80::21a:64ff:fe6e:a09a to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! bge0 inet from abc.def.ghi.240/28 to any
block drop in quick inet from abc.def.ghi.245 to any
block drop log all
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = www
flags S/SA keep state
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = https
flags S/SA keep state
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = ssh
flags S/SA keep state
pass quick on bge0 inet proto udp from abc.def.ghi.241 to abc.def.ghi.245
port = snmp keep state
pass inet proto icmp from any to abc.def.ghi.245 keep state
pass out log all flags S/SA keep state

C. From tcpdump -ettvi pflog0
1203958253.063557 rule 3/(match) [uid 0, pid 15307] block out on bge0:
abc.def.ghi.245.www > crawl-66-249-72-103.googlebot.com.51771: [|tcp] (ttl
64, id 38177, len 1470

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Reply via email to