Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Oct 2008 15:02:38 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Jeremy Chadwick <koitsu@freebsd.org>
Cc:        Scott Bennett <bennett@cs.niu.edu>, freebsd-questions@freebsd.org
Subject:   Re: pf vs. RST attack question
Message-ID:  <87ej2uexsx.fsf@kobe.laptop>
In-Reply-To: <20081006115101.GA19442@icarus.home.lan> (Jeremy Chadwick's message of "Mon, 6 Oct 2008 04:51:01 -0700")
References:  <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <871vyuj6ul.fsf@kobe.laptop> <20081006115101.GA19442@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 6 Oct 2008 04:51:01 -0700, Jeremy Chadwick <koitsu@freebsd.org> wrote:
>> I run my laptop with a `pf.conf' that (putting most of the comments and
>> other disabled rules for one-off tests aside) looks pretty much like:
>>
>>   set	 block-policy drop
>>   set	 require-order yes
>>   set	 skip on lo0
>>   scrub	 in  all
>>   block	 in  all
>>   block	 out all
>>   pass	 in  quick proto icmp all
>>   pass	 out quick proto icmp all
>>   pass	 out proto { tcp, udp } all keep state
>
> A couple things to point out here:
>
> First, ICMP rules coming first (especially with "quick") might not be
> ideal; ICMP is often considered a "last resort" protocol, meaning TCP
> and UDP packets should have priority over it.  It all depends on what
> you want, but this is often the industry norm.

That's nice.

> Second, and much more importantly, if you're on RELENG_7, "keep state"
> serves no purpose here; "flags S/SA" is implicit on TCP rules, and
> "keep state" is implicit in TCP, UDP, and ICMP rules.

8.0-CURRENT so `flags S/SA' is indeed implicit.

I updated the rules to include `flags S/SA' too.  Both this part and
`keep state' are implicit now, but I like being slightly less verbose
because I tend to forget what is `default' and what is not, at the
expense of being slightly more verbose :)

> Happy firewalling!  :-)

Thanks :)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87ej2uexsx.fsf>