Date: Tue, 24 Oct 2006 21:27:33 +0300 From: Andrei Kolu <antik@bsd.ee> To: freebsd-pf@freebsd.org Subject: pf firewall shows ports are open? Message-ID: <200610242127.33703.antik@bsd.ee> In-Reply-To: <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com> References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> <fee88ee40610240228vb5bbf97i229accf68107ff7f@mail.gmail.com> <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello all! I got strange problem here, looks like I am dumb enough to understand this. My current PF rules: ------------------------------------------------------------------------------------------ pfctl -sa FILTER RULES: scrub in all fragment reassemble block drop all block drop in from no-route to any pass out inet proto icmp all icmp-type echoreq keep state pass in proto tcp from any to any port = http flags S/SA synproxy state pass on nve0 proto icmp all pass out on nve0 proto tcp from (nve0) to any keep state pass out on nve0 proto udp from (nve0) to any keep state pass in on nve0 proto tcp from any to (nve0) port = http keep state block drop on nve0 from <blacklist> to any No queue in use ------------------------------------------------------------------------------------------ why nmap shows me that these ports are open? I can't connect with ssh because it is blocked I guess, then why I see it here? ------------------------------------------------------------------------------------------ nmap 192.168.2.100 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-10-24 21:23 EEST Interesting ports on 192.168.2.100: Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp Nmap finished: 1 IP address (1 host up) scanned in 14.412 seconds ------------------------------------------------------------------------------------------ original config file is here: . /etc/rc.subr name="pf_rules" rcvar=`set_rcvar` start_cmd="create_rules" required_files="$pf_rules" create_rules () { echo "Creating $pf_rules." echo "set skip on { lo0 }" > $pf_rules echo "scrub in all" >> $pf_rules echo "block drop all" >> $pf_rules # block anything coming from source we have no back routes for echo "block in from no-route to any" >> $pf_rules # echo "pass quick on all" >> $pf_rules echo 'table <blacklist> persist file "/etc/blacklist"' >> $pf_rules echo "pass out inet proto icmp all icmp-type echoreq keep state" >> $pf_rules echo "pass in proto tcp from any to any port www flags S/SA synproxy state" >> $pf_rules for inf in `ifconfig -l` ; do if `echo $inf | egrep -v 'lo|plip|gif|tun|pfsync' 1>/dev/null` ; then echo "pass on $inf proto icmp all" >> $pf_rules # Allow all outgoing traffic echo "pass out on $inf proto { tcp,udp } from ($inf) to any keep state" >> $pf_rules # Check if we have a /etc/pf.inports file, and open those ports if [ -e "/etc/pf.inports" ] then for PORT in `cat /etc/pf.inports | grep "^udp: " | cut -d " " -f 2` do echo "pass in on $inf proto udp from any to ($inf) port $PORT keep state" >> $pf_rules done fi if [ -e "/etc/pf.inports" ] then for PORT in `cat /etc/pf.inports | grep "^tcp: " | cut -d " " -f 2` do echo "pass in on $inf proto tcp from any to ($inf) port $PORT keep state" >> $pf_rules done fi # Deny all from our blacklist echo "block on $inf from <blacklist> to any" >> $pf_rules fi done } load_rc_config $name run_rc_command "$1"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610242127.33703.antik>