2010/11/12 xSAPPYx :
> Try:
> set block-policy return
>
> You should get your proper closed messages in nmap
>
>
> On Fri, Nov 12, 2010 at 13:27, woolsherpahat
wrote:
>> (please see my in-line comments)
>>
>> On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober wrote:
>>> is it this?
# redirect external ssh traffic from ?
pass in log on $ext_if inet proto tcp to ($ext_if) port ?\
B B B rdr-to 127.0.0.1 port 22
>>> to me, that rule looks like it will accept any inbound traffic on the
>>> external interface and redirect it to 127.0.0.1:22. B but I don't know
> what
>>> the question marks do; I've never seen them used in a pf rule before. B
my
>>> guess is, if pf accepts them at all, it treats them as a wildcard.
>>> -ken
>>
>> The ? marks are just replacements for the actual port number. This
>> rule should forward outside traffic from port ? to the SSH server
>> but I think you are probably on the right track. I really don't
>> understand the new rdr-to and match nat-to rules as well as the older
>> pre 4.6 syntax.
>>
>> However, if I comment that rule out, an nmap still shows a bunch open
>> ports. If I try manually connecting to one of the ports that are
>> listed as open by nmap I get a "Could not open connection to the host,
>> on port 7800: Connect failed". Is it possible that nmap is just full
>> of crap?
>>
>>> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat
>>> wrote:
Hello @misc!
I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release).
However, I get some strange results if I run a nmap scan on it from
work. I get hundreds of ports listed as open. Now it's likely that I
have mis-configured my firewall but I can' see exactly where.
Hopefully someone here on @misc can hit me with the clue stick.
$ext_if (sis0) is my external facing interface. $int_if and $apple_if
(sis1 and sis2, respectively) are my internal subnets. The Soekris is
obviously doing NAT for all my internal subnets -- NAT works, as does
the restrictions on sis1 and sis2 from being able to send traffic to
sis0's subnet. Now unless I am terribly mistaken the 'block in log'
should by default block any inbound packets on any interface unless
there is a subsequent rule that matches that packet as the packet will
do whatever the last matching rule told it too. So all inbound traffic
will either A) be blocked or B) match an "exception" later on in the
ruleset right? So how come a scan from the "outside", reveals hundreds
of unfiltered ports?
Advice would be much welcome.
Thank you!
/etc/pf.conf:
# macros
ext_if="sis0"
int_if="sis1"
apple_if="sis2"
wifi_if="ral0"
table persist file "/etc/bogon-bn-agg.txt"
# options
set require-order yes
set block-policy drop
set optimization normal
set skip on lo0
# flag packets from all internal interfaces for NAT
match out on $ext_if inet from !($ext_if:network) to any nat-to
($ext_if:0)
# policy: default deny on all inbound traffic on all interfaces
block in log
# immediately pass out traffic on external interface, modulate state to
make
# ISNs (initial sequence numbers) harder to guess
pass out quick on $ext_if proto tcp modulate state
# policy: default allow on all outbound traffic on all interfaces
pass out
# antispoofing for internal interfaces
antispoof quick for { $int_if $apple_if $wifi_if }
# ingress/egress bogon filtering
block in quick log on $ext_if from
block out quick log on $ext_if from
# allow internal traffic in, except from untrusted --> trusted
pass in on $int_if from $int_if:network
pass in on $apple_if from $apple_if:network to !$int_if:network
pass in on $wifi_if from $wifi_if:network to !$int_if:network
# allow ssh traffic on trusted interface
pass in log on $int_if inet proto tcp from $int_if:network to $int_if
> port
22
# redirect external ssh traffic from ?
pass in log on $ext_if inet proto tcp to ($ext_if) port ?\
B B B B rdr-to 127.0.0.1 port 22
>
>
Yep exactly...
Check this:
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject