Why this rule doesn't score a match?

Jon Radel jon at radel.com
Wed Jul 23 20:04:25 UTC 2008 

Ivan Petrushev wrote:
> Hmmm, yes I'm on FreeBSD 7
> I tried these pass rules before - nothing gets logged.
> I thought traffic is going both TO these ports and FROM these ports.
> Let's take for example a simple HTTP connection. The browser
> communicates to the remote server trough remote port 80 and says 'GET
> /index.html', then closes the connection. The HTTP server on the
> remote side opens a connection to the local machine (on some of our
> local port range)... but what is the port number on his side? I think
> that it is again 80.
> About pass in/pass out - I think that in/out keyword can be dropped?
> PF can do without that, right?
> 
> These are my current filter rules, still nothing gets logged:
> ##############################
> pass log on $if proto tcp from any port $tcp_services
> pass log on $if proto udp from any port $udp_services
> pass log on $if proto tcp from any to $ext_ip port $tcp_services
> pass log on $if proto udp from any to $ext_ip port $udp_services
> #############################

HTTP doesn't work like that.  The client opens a connection from an 
arbitrary port (generally high and pseudo-random) to port 80 (or 8080, 
or whatever the published port the server listens on is).  The server 
does NOT open a connection to you.

Your initial packet to the web server

from YOU port NNNN
to SERVER port 80

never gets through your rule set so there's never a response from the 
server to get logged.

You'd do much better, if this is a workstation on which you run a 
webbrowser and other clients, rather than a router/firewall, to do 
something like:

pass out on $if proto tcp to any port $tcp_services flags S/SA keep state

This allows the initial packet from your machine out and uses the PF 
state mechanism (which you really, really, really should be using for 
reasons of efficiency and security) to allow all further packets for 
that TCP connection both in and out on that interface.

Unless you're offering services on this computer to which you want other 
machines to establish connections, you're much better off having no, or 
minimal, "pass in" rules.  That way people can't send you random, 
possibly nasty, packets which you accept simply because they used a 
source port of 80.

--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080723/b7fe6043/smime.bin

More information about the freebsd-pf mailing list