2010/8/17 Peter N. M. Hansteen <pe...@bsdly.net>: > Dimitar Vassilev <dimitar.vassi...@gmail.com> writes: > >> $tg_in on $ext_if inet proto udp from any to any port=syslog >> $tg_in on $ext_if from any to any flags P/FSRPAUEW >> $tg_in on $ext_if from any to any flags FPU/FSRPAUEW >> $tg_in on $ext_if from any to any flags FPU/FPU >> $tg_in on $ext_if from any to any flags /FSRA >> $tg_in on $ext_if from any to any flags FS/FSRA >> $tg_in on $ext_if from any to any flags FSPU/FSPRAU >> $tg_in on $ext_if from any to any flags FPU/FSRPAU >> $tg_in on $ext_if from any to any flags /FSRPAU >> $tg_in on $ext_if from any to any flags F/FSRA >> $tg_in on $ext_if from any to any flags U/FSRAU >> $tg_in on $ext_if from any to any flags S/FSRPAU >> $tg_in on $ext_if from any to any flags P/FSRPAU >> $tg_in on $ext_if from any to any flags A/A >> $tg_in on $ext_if from any to any flags P/P > > Each time I see this or something like it, I'm equally baffled. > > If you understand what this does and you can point to any actual > benefit compared to a simple 'block' default at the very top of your > rule set, please enlighten the rest of us. B Explain each of these > lines, what they do in real life network traffic, and do back it all > up with tcpdump output (annotated if need be) and reproducible numbers > and statistics. > > (otherwise, we will call it 'flags wanking', nevermind the quick gushers) > > - P > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > >
Long time ago ( circa 2002-2005) i think it was a way to keep a relatively low profile from port scanners. Now days probably it doesn't really matter as the guys running the thing will not get to one easily anyway provided one keeps good network hygiene. You're right that block all is better and from there on feel free to do whatever you want. Reading the dox again for ftp-proxy on fresh head gave me a clue that I have not taken the -T option properly anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 should go something like match in quick proto tcp to port ftp tagged ftpclients rdr-to 127.0.0.1 port 8021 when -T is used. Anyway removed the -T option, left only the debug and verbose ones, then set # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $usr_if proto tcp from $usr_if:network to any port ftp rdr-to 127.0.0.1 port 8021 synproxy state Still can simplify by combining the rules together, but it works for me. Thanks for the attention. Once you haven't ridden a horse for a long time, it may happen that you get thrown a few times until you remember how it's done. Thanks and have a great day! Dimitar
