Hello Timothy, Monday, December 09, 2002, 4:17:29 PM, you wrote:
Timothy> Hi, regarding the forum posting I made to deadly.org, I made Timothy> a cut-and-paste error with the pf.conf lines quoted in it -- Timothy> I posted the wrong lines. Sorry for that. Here is a better Timothy> example of in and out rules for http and https traffic: Timothy> pass in on $ext_if proto tcp from $approved_outside_net to\ Timothy> $www_int_ip port {www,https} keep state \ Timothy> label "ext_if_in_$srcaddr->$dstaddr_$dstport" Timothy> pass in on $ext_if proto tcp from $www_int_ip port \ Timothy> {www,https} to $approved_outside_net keep state label \ Timothy> "ext_if_in_$srcaddr_$srcport->$dstaddr" Timothy> # shouldn't need this line Shouldn't this be "pass out"? Timothy> == Timothy> # explicit deny rules Timothy> block in quick log from $blocked_net to any label Timothy> "blocked_net_in_$srcaddr" It's better to add the know non routable addresses here: NoRouteIPs="{ (rl1)/32, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,\ 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }" I also usually add some rule against well know scanning codes #Drop some port scannings block in quick on $ext_if inet proto tcp from any to any \ flags FUP/FUP label "anti_scanning" You may also want to block inet6 entirelly. But that's only if you have it configured. I always do that, just in case someone discovers an attack there. Tell me if I'm too paranoic or simply stupid. block in quick on $ext_if inet6 all BTW, block in quick on $ext_if ! inet all doesn't seems to work on my Release Timothy> # local interface rules Timothy> pass in inet from lo0 to lo0 label "lo0_if_in" Timothy> pass out inet from lo0 to lo0 label "lo0_if_out" It's customary to put this as "quick" at the very top, so as not to interfere with any local traffic. Some MTA also use ICMP Type 3 for MTU discovery. This is explained in the http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-4.html. But I think Daniel thinks different about the necessity of having DF set. At least that provocated some problems with the Linux NFS, IIRC. pass in quick on $ExtIF inet proto icmp from any to $ExtIP \ icmp-type $ICMPServices block in quick on $ExtIF inet proto icmp from any to any Timothy> # external interface rules Timothy> pass in on $ext_if proto tcp from $approved_outside_net to \ Timothy> $www_int_ip port {www,https} keep state label \ Timothy> "ext_if_in_$srcaddr->$dstaddr_$dstport" I usually also add a "flags S/SAFPRU". This improves the security of tcp connections. Never use S because that implies S/SAFRUPEW. So since we don't want to screw up ECN signals (I hope :-) you have to be explicit about that. "flags S/SA" should sufice, though. You may need to customize the timing setting. But that has already been covered. I also add a "modulate state" if that connection is going to an NT box. Note that this implies keep state, so you don't have to put it. The xBSD and IOS are safe, Linux 2.2 is "safe enough", 2.4 should be too. Please read: http://razor.bindview.com/publish/papers/tcpseq.html http://lcamtuf.coredump.cx/newtcp/ You should also read: http://www.insecure.org/nmap/idlescan.html On why this is so important. -- Best regards, Alejandro Belluscio