brindging ath0 with re0 working, kinda, almost

Ian Smith smithi at nimnet.asn.au
Sat Apr 26 04:40:11 UTC 2008


On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold <freebsd at violetlan.net> wrote:

 > # block some known-bad ports without logging
 > #
 > block return-rst  in quick on $ext_if1 proto tcp from any to any port {
 > 111, 445, 1080, 6000, 6667 }
 > block return-icmp in quick on $ext_if1 proto udp from any to any port {
 > 137, 138, 139, 1434 }
 > block return-rst  in quick on $ext_if2 proto tcp from any to any port {
 > 111, 445, 1080, 6000, 6667 }
 > block return-icmp in quick on $ext_if2 proto udp from any to any port {
 > 137, 138, 139, 1434 }

Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn) 
is done on TCP, not UDP.  My current same-intent sections for ipfw are: 

    # first take out the vast bulk of inbound TCP bogons / scan noise:
    crap="135,139,445,1433,2967,2968,4899,5900"
    crap="${crap},1080,8000,8080,3128"
    ${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
    ${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
    # first cut out most of the heavy duty UDP noise (incl broken insiders)
    junk="137,138,1433,1434"
    junk="${junk},3544"		# XP home calls home?  MS ipV6 'Toredo'
    ${fwadd} deny log $afew udp from any to any $junk via ${ext_if}

Some of the handbook firewall examples are mistaken about port 139 too.

cheers, Ian



More information about the freebsd-questions mailing list