2010/11/12 xSAPPYx <xsap...@gmail.com>:
> Try:
> set block-policy return
>
> You should get your proper closed messages in nmap
>
>
> On Fri, Nov 12, 2010 at 13:27, woolsherpahat <woolsherpa...@gmail.com>
wrote:
>> (please see my in-line comments)
>>
>> On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <kgo...@gmail.com> wrote:
>>> is it this?
>>>># redirect external ssh traffic from ?????
>>>>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\
>>>> B B B rdr-to 127.0.0.1 port 22
>>> to me, that rule looks like it will accept any inbound traffic on the
>>> external interface and redirect it to 127.0.0.1:22. B but I don't know
> what
>>> the question marks do; I've never seen them used in a pf rule before. B
my
>>> guess is, if pf accepts them at all, it treats them as a wildcard.
>>> -ken
>>
>> The ????? marks are just replacements for the actual port number. This
>> rule should forward outside traffic from port ????? to the SSH server
>> but I think you are probably on the right track. I really don't
>> understand the new rdr-to and match nat-to rules as well as the older
>> pre 4.6 syntax.
>>
>> However, if I comment that rule out, an nmap still shows a bunch open
>> ports. If I try manually connecting to one of the ports that are
>> listed as open by nmap I get a "Could not open connection to the host,
>> on port 7800: Connect failed". Is it possible that nmap is just full
>> of crap?
>>
>>> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <woolsherpa...@gmail.com>
>>> wrote:
>>>>
>>>> Hello @misc!
>>>>
>>>> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release).
>>>> However, I get some strange results if I run a nmap scan on it from
>>>> work. I get hundreds of ports listed as open. Now it's likely that I
>>>> have mis-configured my firewall but I can' see exactly where.
>>>> Hopefully someone here on @misc can hit me with the clue stick.
>>>>
>>>> $ext_if (sis0) is my external facing interface. $int_if and $apple_if
>>>> (sis1 and sis2, respectively) are my internal subnets. The Soekris is
>>>> obviously doing NAT for all my internal subnets -- NAT works, as does
>>>> the restrictions on sis1 and sis2 from being able to send traffic to
>>>> sis0's subnet. Now unless I am terribly mistaken the 'block in log'
>>>> should by default block any inbound packets on any interface unless
>>>> there is a subsequent rule that matches that packet as the packet will
>>>> do whatever the last matching rule told it too. So all inbound traffic
>>>> will either A) be blocked or B) match an "exception" later on in the
>>>> ruleset right? So how come a scan from the "outside", reveals hundreds
>>>> of unfiltered ports?
>>>>
>>>> Advice would be much welcome.
>>>> Thank you!
>>>>
>>>>
>>>>
>>>> /etc/pf.conf:
>>>>
>>>> # macros
>>>> ext_if="sis0"
>>>> int_if="sis1"
>>>> apple_if="sis2"
>>>> wifi_if="ral0"
>>>>
>>>> table <bogons> persist file "/etc/bogon-bn-agg.txt"
>>>>
>>>> # options
>>>> set require-order yes
>>>> set block-policy drop
>>>> set optimization normal
>>>> set skip on lo0
>>>>
>>>>
>>>>
>>>> # flag packets from all internal interfaces for NAT
>>>> match out on $ext_if inet from !($ext_if:network) to any nat-to
>>>> ($ext_if:0)
>>>>
>>>> # policy: default deny on all inbound traffic on all interfaces
>>>> block in log
>>>>
>>>> # immediately pass out traffic on external interface, modulate state to
>>>> make
>>>> # ISNs (initial sequence numbers) harder to guess
>>>> pass out quick on $ext_if proto tcp modulate state
>>>>
>>>> # policy: default allow on all outbound traffic on all interfaces
>>>> pass out
>>>>
>>>> # antispoofing for internal interfaces
>>>> antispoof quick for { $int_if $apple_if $wifi_if }
>>>>
>>>> # ingress/egress bogon filtering
>>>> block in quick log on $ext_if from <bogons>
>>>> block out quick log on $ext_if from <bogons>
>>>>
>>>> # allow internal traffic in, except from untrusted --> trusted
>>>> pass in on $int_if from $int_if:network
>>>> pass in on $apple_if from $apple_if:network to !$int_if:network
>>>> pass in on $wifi_if from $wifi_if:network to !$int_if:network
>>>>
>>>> # allow ssh traffic on trusted interface
>>>> pass in log on $int_if inet proto tcp from $int_if:network to $int_if
> port
>>>> 22
>>>>
>>>> # redirect external ssh traffic from ?????
>>>> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\
>>>> B B B B rdr-to 127.0.0.1 port 22
>
>
Yep exactly...
Check this:
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
