From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 11:34:07 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D07961065698 for ; Mon, 6 Oct 2008 11:34:07 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.freebsd.org (Postfix) with ESMTP id 479D68FC1D for ; Mon, 6 Oct 2008 11:34:06 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (adsl57-177.kln.forthnet.gr [77.49.184.177]) (authenticated bits=128) by igloo.linux.gr (8.14.3/8.14.3/Debian-5) with ESMTP id m96BXeeK032116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 6 Oct 2008 14:33:46 +0300 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id m96BXe3R003281; Mon, 6 Oct 2008 14:33:40 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id m96BXdTG003280; Mon, 6 Oct 2008 14:33:39 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) From: Giorgos Keramidas To: Jeremy Chadwick References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> Date: Mon, 06 Oct 2008 14:33:38 +0300 In-Reply-To: <20081006072611.GA13147@icarus.home.lan> (Jeremy Chadwick's message of "Mon, 6 Oct 2008 00:26:11 -0700") Message-ID: <871vyuj6ul.fsf@kobe.laptop> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-MailScanner-ID: m96BXeeK032116 X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.858, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.54, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Scott Bennett , freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 11:34:07 -0000 On Mon, 6 Oct 2008 00:26:11 -0700, Jeremy Chadwick wrote: > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote: >> block drop all >> >> looks fairly magical to me. Stick that at the top of your ruleset as >> your default policy, add more specific rules beneath it to allow the >> traffic you do want to pass, and Robert is your Mother's Brother. No >> more floods of RST packets. > > This is incredibly draconian. :-) I was trying my best to remain > realistic. Yes this is a bit draconian, but it is also pretty ``realistic'', as in ``it works fine if all you need is a very basic, but strict firewall''. I run my laptop with a `pf.conf' that (putting most of the comments and other disabled rules for one-off tests aside) looks pretty much like: set block-policy drop set require-order yes set skip on lo0 scrub in all block in all block out all pass in quick proto icmp all pass out quick proto icmp all pass out proto { tcp, udp } all keep state Depending on the network I am connected to, I may leave DHCP replies open too, i.e.: pass in quick proto udp from 192.168.1.1/24 to 255.255.255.255 port = 68 This seems to have worked pretty well so far, but this is, as I wrote, merely a laptop. For production servers, there are probably going to be quite a few other rules to allow incoming connections. > I cannot advocate use of "log" on such "vague" rules, and my attitude > is based on experience: > > We had "log" set on some of our deny rules, specifically on an entry > which blocked any traffic to an IP to any ports other than 53 (DNS). > Someone initiated an attack against that IP, to a destination port of > something other than 53, which caused pflog to go crazy with logging. Heh, that's indeed a possibility. Hence the lack of 'log' in my default ruleset shown above.