Try: set block-policy return You should get your proper closed messages in nmap
On Fri, Nov 12, 2010 at 13:27, woolsherpahat <[email protected]> wrote: > (please see my in-line comments) > > On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <[email protected]> wrote: >> is it this? >>># redirect external ssh traffic from ????? >>>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>> B B B rdr-to 127.0.0.1 port 22 >> to me, that rule looks like it will accept any inbound traffic on the >> external interface and redirect it to 127.0.0.1:22. B but I don't know what >> the question marks do; I've never seen them used in a pf rule before. B my >> guess is, if pf accepts them at all, it treats them as a wildcard. >> -ken > > The ????? marks are just replacements for the actual port number. This > rule should forward outside traffic from port ????? to the SSH server > but I think you are probably on the right track. I really don't > understand the new rdr-to and match nat-to rules as well as the older > pre 4.6 syntax. > > However, if I comment that rule out, an nmap still shows a bunch open > ports. If I try manually connecting to one of the ports that are > listed as open by nmap I get a "Could not open connection to the host, > on port 7800: Connect failed". Is it possible that nmap is just full > of crap? > >> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <[email protected]> >> wrote: >>> >>> Hello @misc! >>> >>> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release). >>> However, I get some strange results if I run a nmap scan on it from >>> work. I get hundreds of ports listed as open. Now it's likely that I >>> have mis-configured my firewall but I can' see exactly where. >>> Hopefully someone here on @misc can hit me with the clue stick. >>> >>> $ext_if (sis0) is my external facing interface. $int_if and $apple_if >>> (sis1 and sis2, respectively) are my internal subnets. The Soekris is >>> obviously doing NAT for all my internal subnets -- NAT works, as does >>> the restrictions on sis1 and sis2 from being able to send traffic to >>> sis0's subnet. Now unless I am terribly mistaken the 'block in log' >>> should by default block any inbound packets on any interface unless >>> there is a subsequent rule that matches that packet as the packet will >>> do whatever the last matching rule told it too. So all inbound traffic >>> will either A) be blocked or B) match an "exception" later on in the >>> ruleset right? So how come a scan from the "outside", reveals hundreds >>> of unfiltered ports? >>> >>> Advice would be much welcome. >>> Thank you! >>> >>> >>> >>> /etc/pf.conf: >>> >>> # macros >>> ext_if="sis0" >>> int_if="sis1" >>> apple_if="sis2" >>> wifi_if="ral0" >>> >>> table <bogons> persist file "/etc/bogon-bn-agg.txt" >>> >>> # options >>> set require-order yes >>> set block-policy drop >>> set optimization normal >>> set skip on lo0 >>> >>> >>> >>> # flag packets from all internal interfaces for NAT >>> match out on $ext_if inet from !($ext_if:network) to any nat-to >>> ($ext_if:0) >>> >>> # policy: default deny on all inbound traffic on all interfaces >>> block in log >>> >>> # immediately pass out traffic on external interface, modulate state to >>> make >>> # ISNs (initial sequence numbers) harder to guess >>> pass out quick on $ext_if proto tcp modulate state >>> >>> # policy: default allow on all outbound traffic on all interfaces >>> pass out >>> >>> # antispoofing for internal interfaces >>> antispoof quick for { $int_if $apple_if $wifi_if } >>> >>> # ingress/egress bogon filtering >>> block in quick log on $ext_if from <bogons> >>> block out quick log on $ext_if from <bogons> >>> >>> # allow internal traffic in, except from untrusted --> trusted >>> pass in on $int_if from $int_if:network >>> pass in on $apple_if from $apple_if:network to !$int_if:network >>> pass in on $wifi_if from $wifi_if:network to !$int_if:network >>> >>> # allow ssh traffic on trusted interface >>> pass in log on $int_if inet proto tcp from $int_if:network to $int_if port >>> 22 >>> >>> # redirect external ssh traffic from ????? >>> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>> B B B B rdr-to 127.0.0.1 port 22
