[EMAIL PROTECTED] wrote: > Subject: > pf filter sequence > From: > Bulk <[EMAIL PROTECTED]> > Date: > Mon, 5 Feb 2007 10:39:01 -0500 > To: > [email protected] > > To: > [email protected] > > >Hi, > >I've been running pf for a long time and thought I had it all nailed, but this >thing have me stomped. > >In the filter section I have a series of blocks intended to set the default >block environment. > >My idea was that at this point nothing should be able to flow through to or >from 10.1.0.12. But a later pass does let it pass out. I thought it processed >from the top and stopped on a quick. Even a later quick should be ignored. > > >### Filter Rules > >pass quick on lo >pass quick on $intif > ># Block certain IP's >block in log quick on $extif from $BlockIP to any >block out log quick on $extif from any to $Microsoft >block out log quick on $extif from { <private>, <BlockIP> } to any >block out log quick on $extif from any to $BlockIP > ># Block NMap scans >block quick from any os NMAP > ># Ignore the RIPv2 responses that are unsolicited >block in quick on $extif from 24.92.8.1 to any >block in quick on $extif from 24.73.73.129 to any >block in quick on $extif from 24.73.83.193 to any >block in quick on $extif from 24.144.89.129 to any >block in quick on $extif from 67.8.8.93 to any >block in quick on $extif proto { tcp udp } from any port 520 to any port 520 > ># Ignore external windows and others >block out log quick on $extif proto { tcp udp } from any to $extif port >$BlockTCP >block out log quick on $extif proto { tcp udp } from any to any port { 67 68 } > ># Block spoofing >antispoof quick for $extif > ># Ignore internal windows and others >block out log quick on $extif proto tcp from $LAN port $BlockTCP to >10.125.65.255 port $BlockTCP >block out log quick on $extif proto udp from $LAN port $BlockUDP to >10.125.65.255 port $BlockUDP >block out log quick on $extif proto tcp from $LAN2 port $BlockTCP to >10.125.65.255 port $BlockTCP >block out log quick on $extif proto udp from $LAN2 port $BlockUDP to >10.125.65.255 port $BlockUDP >block return out log on $extif inet all queue other > ># Block .12 >block in log quick on $extif proto { tcp udp icmp } to 10.1.0.12 >block out log quick on $extif proto { tcp udp icmp } from 10.1.0.12 > ># Block all incoming packets. Last stop. >block drop in log on $extif all > > > >Bulk > > Hello Bulk.
Your ruleset looks hard to read to me, because I write rulesets exactly the other way around: pass rules, with keep state. In a few words, there are only block rules, and I can't find any 'later pass' rule. What flows do you want to allow instead? The 'allow that, block anything else' looks easier and safer than 'let's block Nmap scans, this, this and that identified threat'. How about: - identify ingress and egress allowed flows; - for each allowed flow, use two pass lines, one for each interface that the flow passes through; - use keep/modulate state ; I'm afraid these comments do not answer your problem right away, but maybe they would help you looking at other ways to solve it. HTH _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
