On Sunday 27 July 2003 05:41 am, Daniel Hartmeier wrote: > On Sat, Jul 26, 2003 at 08:29:35PM -0700, Bryan Irvine wrote: > > Is there a way to get pf to never use specific ports? For example a > > client on my LAN might send a request for a certain webpage which gets > > sent to the gateway from a certain port we'll say, 43101. The Request > > hits the gateway and then get's changed to another source port like > > 12754. The problem is that 12754 will trigger a false postive in snort > > that someone is scanning for a ddos mstream client handler. How (if > > possible) can you create a list of ports than will never be used by pf? > > The default proxy port range used by pf is 50001-65535, so it won't use > 12754. > > You can change the proxy port range like this > > nat on $extif from 10.0.0.0/8 to any -> $extif port 20000:30000 > > which would cause pf to use proxy ports 20000-30000 for connections > matching this rule. > > Why are you running snort on the external interface, and not the > internal one? It's an intrusion detection system, and packets that don't > pass your firewall don't constitute an intrusion... > > Daniel
I am no expert but wouldn't it be nice to know if someone is running a scan or some sort of flood attack? If one starts to have limited bandwidth available all of a sudden, the nids might help uncover the reason why if it is a flood. -- PGP public key http://www.krytosvirus.com/public.asc