2010/11/12 xSAPPYx <xsap...@gmail.com>: > Try: > set block-policy return > > You should get your proper closed messages in nmap > > > On Fri, Nov 12, 2010 at 13:27, woolsherpahat <woolsherpa...@gmail.com> wrote: >> (please see my in-line comments) >> >> On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <kgo...@gmail.com> wrote: >>> is it this? >>>># redirect external ssh traffic from ????? >>>>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>>> B B B rdr-to 127.0.0.1 port 22 >>> to me, that rule looks like it will accept any inbound traffic on the >>> external interface and redirect it to 127.0.0.1:22. B but I don't know > what >>> the question marks do; I've never seen them used in a pf rule before. B my >>> guess is, if pf accepts them at all, it treats them as a wildcard. >>> -ken >> >> The ????? marks are just replacements for the actual port number. This >> rule should forward outside traffic from port ????? to the SSH server >> but I think you are probably on the right track. I really don't >> understand the new rdr-to and match nat-to rules as well as the older >> pre 4.6 syntax. >> >> However, if I comment that rule out, an nmap still shows a bunch open >> ports. If I try manually connecting to one of the ports that are >> listed as open by nmap I get a "Could not open connection to the host, >> on port 7800: Connect failed". Is it possible that nmap is just full >> of crap? >> >>> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <woolsherpa...@gmail.com> >>> wrote: >>>> >>>> Hello @misc! >>>> >>>> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release). >>>> However, I get some strange results if I run a nmap scan on it from >>>> work. I get hundreds of ports listed as open. Now it's likely that I >>>> have mis-configured my firewall but I can' see exactly where. >>>> Hopefully someone here on @misc can hit me with the clue stick. >>>> >>>> $ext_if (sis0) is my external facing interface. $int_if and $apple_if >>>> (sis1 and sis2, respectively) are my internal subnets. The Soekris is >>>> obviously doing NAT for all my internal subnets -- NAT works, as does >>>> the restrictions on sis1 and sis2 from being able to send traffic to >>>> sis0's subnet. Now unless I am terribly mistaken the 'block in log' >>>> should by default block any inbound packets on any interface unless >>>> there is a subsequent rule that matches that packet as the packet will >>>> do whatever the last matching rule told it too. So all inbound traffic >>>> will either A) be blocked or B) match an "exception" later on in the >>>> ruleset right? So how come a scan from the "outside", reveals hundreds >>>> of unfiltered ports? >>>> >>>> Advice would be much welcome. >>>> Thank you! >>>> >>>> >>>> >>>> /etc/pf.conf: >>>> >>>> # macros >>>> ext_if="sis0" >>>> int_if="sis1" >>>> apple_if="sis2" >>>> wifi_if="ral0" >>>> >>>> table <bogons> persist file "/etc/bogon-bn-agg.txt" >>>> >>>> # options >>>> set require-order yes >>>> set block-policy drop >>>> set optimization normal >>>> set skip on lo0 >>>> >>>> >>>> >>>> # flag packets from all internal interfaces for NAT >>>> match out on $ext_if inet from !($ext_if:network) to any nat-to >>>> ($ext_if:0) >>>> >>>> # policy: default deny on all inbound traffic on all interfaces >>>> block in log >>>> >>>> # immediately pass out traffic on external interface, modulate state to >>>> make >>>> # ISNs (initial sequence numbers) harder to guess >>>> pass out quick on $ext_if proto tcp modulate state >>>> >>>> # policy: default allow on all outbound traffic on all interfaces >>>> pass out >>>> >>>> # antispoofing for internal interfaces >>>> antispoof quick for { $int_if $apple_if $wifi_if } >>>> >>>> # ingress/egress bogon filtering >>>> block in quick log on $ext_if from <bogons> >>>> block out quick log on $ext_if from <bogons> >>>> >>>> # allow internal traffic in, except from untrusted --> trusted >>>> pass in on $int_if from $int_if:network >>>> pass in on $apple_if from $apple_if:network to !$int_if:network >>>> pass in on $wifi_if from $wifi_if:network to !$int_if:network >>>> >>>> # allow ssh traffic on trusted interface >>>> pass in log on $int_if inet proto tcp from $int_if:network to $int_if > port >>>> 22 >>>> >>>> # redirect external ssh traffic from ????? >>>> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\ >>>> B B B B rdr-to 127.0.0.1 port 22 > >
Yep exactly... Check this: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject