Hey all
I recently implement an OBSD 3.5 border firewall at work. It all went
well apart from a 3 minute cold sweat where packets weren't routing..
because I had a typo when throwing the router's IP into /etc/mygate! ;)
Anyway, the wall is up and blocking away but I am still seeing quite a
lot of logged hits on the secondary firewall that sits between the
internal corporate LAN and the OBSD firewall (and subsequently router
and internet). The LAN is a private class C subnet running through a
secured linux box with NAT and firewall/logging.
The main source ports of the hits are 80 (web), 6346 (Gnutella) and
6889 (bit torrent) but there are other random ports as well. The only
reference to the NAT box in pf.conf is:
pass in quick on $int_if proto {tcp udp} from $box port >= 1024 to \
any keep state
pass out quick on $ext_if proto {tcp udp} from $box port >= 1024 to \
any keep state
NB: There are plenty of other rules for all the other servers but $box
is only referred to in these two lines.
So, what are these hits? Are they just the outside server sending a
left-over packet after the client has actually closed the connection or
does it sound like a hole?
Any help would be great!
Thanks!
Andrew
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com
