thanks for your answer!
[EMAIL PROTECTED] wrote:
And while I'm at it, is there anywhere I can see which types of ICMP are *not* let back in even if they match a state (I assume that type 5 redirect at least is always filtered unless there is an explicit rule)?
if you have: block in log on $public all block out log on $public all as your first rules, you'll see which packets are being blocked.
I don't think this applies to what I'm asking. Then again, I might have been asking the wrong question, so I'll try again. As I understand it, this should happen:
- A TCP packet goes out via a port explicitly allowed by a pf "keep state" rule
- The remote machine sends back an ICMP error message (e.g. timex)
- pf matches the returning ICMP against the state created by the initial TCP packet and lets it pass.
At this stage I have no possibility to stop a specific ICMP from being returned to me since state gets matched before rules (right?). So a man-in-the-middle could simply spoof the IP of the initial destination, send back an ICMP router redirect and have all further packets in that connection routed via his machine(insert hand-waving). Since this is obviously a bad thing, and pf seems to try to do a lot of "right things" automagically, I assumed that pf would block returning router redirects even if they match against an entry in the state table. Am I wrong? If I am, how do I defend against above scenario? And if I'm not wrong, are there other ICMP types which pf blocks automagically?
pass in on $public all keep state
pass out on $public all keep state
Don't allow everything by default. Block everything and explicitly allow what you want.
Yeah, I know :-). This is a test setup. Or rather a transitory setup sitting in front of the real firewall while I get them in sync.
pass in quick on $public inet proto icmp \ from any to <mynet> \ icmp-type 8 keep state pass in quick on $public inet proto icmp \ from $router to <mynet> \ icmp-type 9 keep state block in quick log on $public inet proto icmp \ from any to <mynet>
pass out quick on $public inet proto icmp \ from <mynet> to any \ icmp-type 8 keep state block out quick log on $public inet proto icmp \ from <mynet> to any
I think what you want is this: pass in quick on $public inet proto icmp from any to ($public) icmp-type {8,9} keep state pass out quick on $public inet proto icmp from ($public) to any icmp-type {8,9} keep state
No, I definitely do not want any router advertisements coming from anything but my upstream router.
pass in quick on $internal inet proto icmp from <mynet> to any icmp-type
{8,9} keep state
pass out quick on $internal inet proto icmp from any to <mynet> icmp-type
{8,9} keep state
Sorry, neglected to mention this is a filtering bridge, so no filtering on the internal interface.
Cheers,
Marc
