pf vs. RST attack question
Giorgos Keramidas
keramida at ceid.upatras.gr
Mon Oct 6 12:03:37 UTC 2008
On Mon, 6 Oct 2008 04:51:01 -0700, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>> I run my laptop with a `pf.conf' that (putting most of the comments and
>> other disabled rules for one-off tests aside) looks pretty much like:
>>
>> set block-policy drop
>> set require-order yes
>> set skip on lo0
>> scrub in all
>> block in all
>> block out all
>> pass in quick proto icmp all
>> pass out quick proto icmp all
>> pass out proto { tcp, udp } all keep state
>
> A couple things to point out here:
>
> First, ICMP rules coming first (especially with "quick") might not be
> ideal; ICMP is often considered a "last resort" protocol, meaning TCP
> and UDP packets should have priority over it. It all depends on what
> you want, but this is often the industry norm.
That's nice.
> Second, and much more importantly, if you're on RELENG_7, "keep state"
> serves no purpose here; "flags S/SA" is implicit on TCP rules, and
> "keep state" is implicit in TCP, UDP, and ICMP rules.
8.0-CURRENT so `flags S/SA' is indeed implicit.
I updated the rules to include `flags S/SA' too. Both this part and
`keep state' are implicit now, but I like being slightly less verbose
because I tend to forget what is `default' and what is not, at the
expense of being slightly more verbose :)
> Happy firewalling! :-)
Thanks :)
More information about the freebsd-questions
mailing list