Date: Mon, 21 Dec 2009 11:10:13 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: DAve <dave.list@pixelhammer.com> Cc: 'User Questions' <freebsd-questions@freebsd.org> Subject: Re: Source of closed port RST responses Message-ID: <4B2F5795.5010206@infracaninophile.co.uk> In-Reply-To: <4B2EA349.3050604@pixelhammer.com> References: <4B2E7CEA.1020502@pixelhammer.com> <4B2E8628.6060100@radel.com> <4B2EA349.3050604@pixelhammer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5779AA1B5EE1DF245192B370
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
DAve wrote:
> I will be installing pf this week, I just need to write up my rule sets=
> for these servers. I had been working on the webservers first. Is there=
> a rule I can use to log connection attempts to closed ports?
pf doesn't really know anything about whether there is a listener at a pa=
rticular
port or not. However, you can log suspicious traffic using a 'capture ev=
erything'
rule, which should log and then block or drop all traffic that matches it=
=2E You then
override that with more specific rules to allow the traffic to the servic=
es you want
to publish on the net. [pf is a 'last matching rule wins' type firewall, =
so you write
the rules in order from most generic to most specific.] Something like th=
is:
ext_if=3D"em0" # alter to match your hardware
set skip on lo0
set loginterface $ext_if
set state-policy if-bound
scrub in
block log all
pass in on $ext_if proto tcp from any to $ext_if port http flags S/SA kee=
p state
[...]
(You'll need more pass rules than that -- especially to allow your host t=
o do
things like query the DNS, allow SSH in and out, connect to remote web/ft=
p sites,
etc.)
Remember to run pflogd to have the logged packets saved to disk. Be awar=
e that the
log output in /var/log/pflog is actually in pcap format, so you'll need t=
o use
tcpdump -r /var/log/pflog to turn it into something human readable. /var/=
log/pflog
can get recycled fairly rapidly depending on network conditions. Or you =
can just
run tcpdump -i pflog0 to get a live view of rejected packets.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig5779AA1B5EE1DF245192B370
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAksvV5wACgkQ8Mjk52CukIzv9QCeNPrPUfB/mSnIbPEPWwGAiW7Q
Ay4AoIB6e2v58n2+1Rvj8gnHFMPlhSv0
=kjj/
-----END PGP SIGNATURE-----
--------------enig5779AA1B5EE1DF245192B370--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2F5795.5010206>