Date: Sat, 26 Apr 2008 14:39:50 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Reinhold <freebsd@violetlan.net> Cc: freebsd-questions@freebsd.org Subject: Re: brindging ath0 with re0 working, kinda, almost Message-ID: <Pine.BSF.3.96.1080426134337.22355A-100000@gaia.nimnet.asn.au> In-Reply-To: <20080425182617.1B0A610656C3@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold <freebsd@violetlan.net> wrote:
> # block some known-bad ports without logging
> #
> block return-rst in quick on $ext_if1 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if1 proto udp from any to any port {
> 137, 138, 139, 1434 }
> block return-rst in quick on $ext_if2 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if2 proto udp from any to any port {
> 137, 138, 139, 1434 }
Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn)
is done on TCP, not UDP. My current same-intent sections for ipfw are:
# first take out the vast bulk of inbound TCP bogons / scan noise:
crap="135,139,445,1433,2967,2968,4899,5900"
crap="${crap},1080,8000,8080,3128"
${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
# first cut out most of the heavy duty UDP noise (incl broken insiders)
junk="137,138,1433,1434"
junk="${junk},3544" # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny log $afew udp from any to any $junk via ${ext_if}
Some of the handbook firewall examples are mistaken about port 139 too.
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080426134337.22355A-100000>