On Fri, Nov 12, 2010 at 12:53 PM, woolsherpahat <[email protected]> wrote: >>> On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <[email protected]> wrote: >>>> is it this? >>>>># redirect external ssh traffic from ????? >>>>>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>>>> rdr-to 127.0.0.1 port 22 >>>> to me, that rule looks like it will accept any inbound traffic on the >>>> external interface and redirect it to 127.0.0.1:22. but I don't know what >>>> the question marks do; I've never seen them used in a pf rule before. my >>>> guess is, if pf accepts them at all, it treats them as a wildcard. >>>> -ken >>> >>> The ????? marks are just replacements for the actual port number. This >>> rule should forward outside traffic from port ????? to the SSH server >>> but I think you are probably on the right track. I really don't >>> understand the new rdr-to and match nat-to rules as well as the older >>> pre 4.6 syntax. >>> >>> However, if I comment that rule out, an nmap still shows a bunch open >>> ports. If I try manually connecting to one of the ports that are >>> listed as open by nmap I get a "Could not open connection to the host, >>> on port 7800: Connect failed". Is it possible that nmap is just full >>> of crap? >>> >>>> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <[email protected]> >>>> wrote: >>>>> >>>>> Hello @misc! >>>>> >>>>> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release). >>>>> However, I get some strange results if I run a nmap scan on it from >>>>> work. I get hundreds of ports listed as open. Now it's likely that I >>>>> have mis-configured my firewall but I can' see exactly where. >>>>> Hopefully someone here on @misc can hit me with the clue stick. >>>>> >>>>> $ext_if (sis0) is my external facing interface. $int_if and $apple_if >>>>> (sis1 and sis2, respectively) are my internal subnets. The Soekris is >>>>> obviously doing NAT for all my internal subnets -- NAT works, as does >>>>> the restrictions on sis1 and sis2 from being able to send traffic to >>>>> sis0's subnet. Now unless I am terribly mistaken the 'block in log' >>>>> should by default block any inbound packets on any interface unless >>>>> there is a subsequent rule that matches that packet as the packet will >>>>> do whatever the last matching rule told it too. So all inbound traffic >>>>> will either A) be blocked or B) match an "exception" later on in the >>>>> ruleset right? So how come a scan from the "outside", reveals hundreds >>>>> of unfiltered ports? >>>>> >>>>> Advice would be much welcome. >>>>> Thank you! >>>>> >>>>> >>>>> >>>>> /etc/pf.conf: >>>>> >>>>> # macros >>>>> ext_if="sis0" >>>>> int_if="sis1" >>>>> apple_if="sis2" >>>>> wifi_if="ral0" >>>>> >>>>> table <bogons> persist file "/etc/bogon-bn-agg.txt" >>>>> >>>>> # options >>>>> set require-order yes >>>>> set block-policy drop >>>>> set optimization normal >>>>> set skip on lo0 >>>>> >>>>> >>>>> >>>>> # flag packets from all internal interfaces for NAT >>>>> match out on $ext_if inet from !($ext_if:network) to any nat-to >>>>> ($ext_if:0) >>>>> >>>>> # policy: default deny on all inbound traffic on all interfaces >>>>> block in log >>>>> >>>>> # immediately pass out traffic on external interface, modulate state to >>>>> make >>>>> # ISNs (initial sequence numbers) harder to guess >>>>> pass out quick on $ext_if proto tcp modulate state >>>>> >>>>> # policy: default allow on all outbound traffic on all interfaces >>>>> pass out >>>>> >>>>> # antispoofing for internal interfaces >>>>> antispoof quick for { $int_if $apple_if $wifi_if } >>>>> >>>>> # ingress/egress bogon filtering >>>>> block in quick log on $ext_if from <bogons> >>>>> block out quick log on $ext_if from <bogons> >>>>> >>>>> # allow internal traffic in, except from untrusted --> trusted >>>>> pass in on $int_if from $int_if:network >>>>> pass in on $apple_if from $apple_if:network to !$int_if:network >>>>> pass in on $wifi_if from $wifi_if:network to !$int_if:network >>>>> >>>>> # allow ssh traffic on trusted interface >>>>> pass in log on $int_if inet proto tcp from $int_if:network to $int_if port >>>>> 22 >>>>> >>>>> # redirect external ssh traffic from ????? >>>>> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>>>> rdr-to 127.0.0.1 port 22 >>> >>> >> >> Which kind of scanning are you doing? >> What's the output from nmap? >> >> Some fun stuff about this... >> http://blackhat.com/html/bh-usa-08/bh-usa-08-archive.html#Vaskovich >> http://phrack.org/issues.html?issue=51&id=11#article >> http://phrack.org/issues.html?issue=54&id=9#article
I'm just doing a regular old normal scan: 'nmap $my_ipaddress'
