Hello @misc!
I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release).
However, I get some strange results if I run a nmap scan on it from
work. I get hundreds of ports listed as open. Now it's likely that I
have mis-configured my firewall but I can' see exactly where.
Hopefully someone here on @misc can hit me with the clue stick.
$ext_if (sis0) is my external facing interface. $int_if and $apple_if
(sis1 and sis2, respectively) are my internal subnets. The Soekris is
obviously doing NAT for all my internal subnets -- NAT works, as does
the restrictions on sis1 and sis2 from being able to send traffic to
sis0's subnet. Now unless I am terribly mistaken the 'block in log'
should by default block any inbound packets on any interface unless
there is a subsequent rule that matches that packet as the packet will
do whatever the last matching rule told it too. So all inbound traffic
will either A) be blocked or B) match an "exception" later on in the
ruleset right? So how come a scan from the "outside", reveals hundreds
of unfiltered ports?
Advice would be much welcome.
Thank you!
/etc/pf.conf:
# macros
ext_if="sis0"
int_if="sis1"
apple_if="sis2"
wifi_if="ral0"
table <bogons> persist file "/etc/bogon-bn-agg.txt"
# options
set require-order yes
set block-policy drop
set optimization normal
set skip on lo0
# flag packets from all internal interfaces for NAT
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)
# policy: default deny on all inbound traffic on all interfaces
block in log
# immediately pass out traffic on external interface, modulate state to make
# ISNs (initial sequence numbers) harder to guess
pass out quick on $ext_if proto tcp modulate state
# policy: default allow on all outbound traffic on all interfaces
pass out
# antispoofing for internal interfaces
antispoof quick for { $int_if $apple_if $wifi_if }
# ingress/egress bogon filtering
block in quick log on $ext_if from <bogons>
block out quick log on $ext_if from <bogons>
# allow internal traffic in, except from untrusted --> trusted
pass in on $int_if from $int_if:network
pass in on $apple_if from $apple_if:network to !$int_if:network
pass in on $wifi_if from $wifi_if:network to !$int_if:network
# allow ssh traffic on trusted interface
pass in log on $int_if inet proto tcp from $int_if:network to $int_if port 22
# redirect external ssh traffic from ?????
pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\
rdr-to 127.0.0.1 port 22
