brindging ath0 with re0 working, kinda, almost
Ian Smith
smithi at nimnet.asn.au
Sat Apr 26 04:40:11 UTC 2008
On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold <freebsd at violetlan.net> wrote:
> # block some known-bad ports without logging
> #
> block return-rst in quick on $ext_if1 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if1 proto udp from any to any port {
> 137, 138, 139, 1434 }
> block return-rst in quick on $ext_if2 proto tcp from any to any port {
> 111, 445, 1080, 6000, 6667 }
> block return-icmp in quick on $ext_if2 proto udp from any to any port {
> 137, 138, 139, 1434 }
Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn)
is done on TCP, not UDP. My current same-intent sections for ipfw are:
# first take out the vast bulk of inbound TCP bogons / scan noise:
crap="135,139,445,1433,2967,2968,4899,5900"
crap="${crap},1080,8000,8080,3128"
${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
# first cut out most of the heavy duty UDP noise (incl broken insiders)
junk="137,138,1433,1434"
junk="${junk},3544" # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny log $afew udp from any to any $junk via ${ext_if}
Some of the handbook firewall examples are mistaken about port 139 too.
cheers, Ian
More information about the freebsd-questions
mailing list