Re: Why this rule doesn't score a match?

Wed, 23 Jul 2008 13:04:45 -0700 

Ivan Petrushev wrote:

Hmmm, yes I'm on FreeBSD 7
I tried these pass rules before - nothing gets logged.
I thought traffic is going both TO these ports and FROM these ports.
Let's take for example a simple HTTP connection. The browser
communicates to the remote server trough remote port 80 and says 'GET
/index.html', then closes the connection. The HTTP server on the
remote side opens a connection to the local machine (on some of our
local port range)... but what is the port number on his side? I think
that it is again 80.
About pass in/pass out - I think that in/out keyword can be dropped?
PF can do without that, right?

These are my current filter rules, still nothing gets logged:
##############################
pass log on $if proto tcp from any port $tcp_services
pass log on $if proto udp from any port $udp_services
pass log on $if proto tcp from any to $ext_ip port $tcp_services
pass log on $if proto udp from any to $ext_ip port $udp_services
#############################
HTTP doesn't work like that. The client opens a connection from an arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or whatever the published port the server listens on is). The server does NOT open a connection to you. 

Your initial packet to the web server

from YOU port NNNN
to SERVER port 80
never gets through your rule set so there's never a response from the server to get logged.
You'd do much better, if this is a workstation on which you run a webbrowser and other clients, rather than a router/firewall, to do something like: 

pass out on $if proto tcp to any port $tcp_services flags S/SA keep state
This allows the initial packet from your machine out and uses the PF state mechanism (which you really, really, really should be using for reasons of efficiency and security) to allow all further packets for that TCP connection both in and out on that interface.
Unless you're offering services on this computer to which you want other machines to establish connections, you're much better off having no, or minimal, "pass in" rules. That way people can't send you random, possibly nasty, packets which you accept simply because they used a source port of 80. 

--Jon Radel

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to