On 2025/03/26 03:15, Vaughn A. Hart wrote:
> I understand anti spoof being a special case... but I think traffic blocking
> is working with
> the self keyword in my tests and what I am trying to prevent are internal
> tunnels. Sounds
> paranoid.... but I found more than a few of my passwords as compromised.
If you place "block quick log on self" right at the top of the ruleset,
what happens? I'm using pf on OpenBSD not MacOS and there's a chance
they changed somethibg, but for me that does nothing. compare with
"block quick log" without the interface restriction.
Alternatively, what happens if you change your "block in log on self"
to some other word which I believe will be parsed in the same way,
i.e. as a non-existent interface group name, e.g. "block log on
squirrels"? I don't think it will change behaviour.
> Is there something that I'm missing? Are there firewall rules you'd use that
> I won't have?
> #default deny all in
> block in all
so the default block rule just means that the only thing subsequent
"block in log" are doing is adding logging to packets matching those
rules
> #block QUIC protocol
> block log quick proto 253 from any to any
no idea what proto 253 is (it's experimental), quic is on udp,
typically on port 443
> #pass in from Cisco Umbrella
> pass in from {208.67.220.220, 208.67.222.222, 2620:119:35::35,
> 2620:119:53::53}
this allows those hosts to make new incoming connections to ports
which are blocked by above rules; I don't think you want that.
it's not needed for normal DNS replies which are sent in response to
your outgoing requests and would match the firewall state created
by those outgoing requests.
> #apple file service --port 548-- pf firewall rule
> block in log proto tcp to any port { 548 }
> #ftp --ports 20 21-- pf firewall rule
> block in log proto { tcp udp } to any port { 20 21 }
> #http --port 80-- pf firewall rule
> block in log proto { tcp udp } to any port 80
> #icmp pf firewall rule
> block in log proto icmp
> #imap --port 143-- pf firewall rule
> block in log proto tcp to any port 143
> #imaps --port 993-- pf firewall rule
> block in log proto tcp to any port 993
> #pop3 --port 110-- pf firewall rule
> block in log proto tcp to any port 110
> #pop3s --port 995-- pf firewall rule
> block in log proto tcp to any port 995
..etc... why list all these individually? any reason not to skip
them and perhaps put "log" on your default "block in" rule?
this ruleset seems rather complicated and hard to read/reason about.
