From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 11:51:03 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFD1C1065692 for ; Mon, 6 Oct 2008 11:51:03 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [76.96.62.32]) by mx1.freebsd.org (Postfix) with ESMTP id 798788FC12 for ; Mon, 6 Oct 2008 11:51:03 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA01.westchester.pa.mail.comcast.net ([76.96.62.11]) by QMTA03.westchester.pa.mail.comcast.net with comcast id PP4Y1a0060EZKEL53Pr26k; Mon, 06 Oct 2008 11:51:02 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA01.westchester.pa.mail.comcast.net with comcast id PPr11a0082P6wsM3MPr1C5; Mon, 06 Oct 2008 11:51:02 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=1-e57yyiBPLYVuG5lxAA:9 a=mMwRpiFU1MRPH8fVsD45A9o0pPsA:4 a=EoioJ0NPDVgA:10 a=SV7veod9ZcQA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 5A027C9419; Mon, 6 Oct 2008 04:51:01 -0700 (PDT) Date: Mon, 6 Oct 2008 04:51:01 -0700 From: Jeremy Chadwick To: Giorgos Keramidas Message-ID: <20081006115101.GA19442@icarus.home.lan> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <871vyuj6ul.fsf@kobe.laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <871vyuj6ul.fsf@kobe.laptop> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Scott Bennett , freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 11:51:03 -0000 On Mon, Oct 06, 2008 at 02:33:38PM +0300, Giorgos Keramidas wrote: > On Mon, 6 Oct 2008 00:26:11 -0700, Jeremy Chadwick wrote: > > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote: > >> block drop all > >> > >> looks fairly magical to me. Stick that at the top of your ruleset as > >> your default policy, add more specific rules beneath it to allow the > >> traffic you do want to pass, and Robert is your Mother's Brother. No > >> more floods of RST packets. > > > > This is incredibly draconian. :-) I was trying my best to remain > > realistic. > > Yes this is a bit draconian, but it is also pretty ``realistic'', as in > ``it works fine if all you need is a very basic, but strict firewall''. > > I run my laptop with a `pf.conf' that (putting most of the comments and > other disabled rules for one-off tests aside) looks pretty much like: > > set block-policy drop > set require-order yes > set skip on lo0 > scrub in all > block in all > block out all > pass in quick proto icmp all > pass out quick proto icmp all > pass out proto { tcp, udp } all keep state A couple things to point out here: First, ICMP rules coming first (especially with "quick") might not be ideal; ICMP is often considered a "last resort" protocol, meaning TCP and UDP packets should have priority over it. It all depends on what you want, but this is often the industry norm. Second, and much more importantly, if you're on RELENG_7, "keep state" serves no purpose here; "flags S/SA" is implicit on TCP rules, and "keep state" is implicit in TCP, UDP, and ICMP rules. If you're using RELENG_6, then your above rules have a serious problem: you're tracking state for all outbound packets regardless of flags, and not just initial setup (SYN). This is Very Bad(tm). In that case, you should use these rules instead: pass out proto tcp all flags S/SA keep state pass out proto udp all keep state pass out proto icmp all keep state I've never gotten a definite answer as to what happens if you use "flags S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol. That's why I split them up per protocol on RELENG_6 boxes. Happy firewalling! :-) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |