pf vs. RST attack question

Giorgos Keramidas keramida at
Mon Oct 6 12:03:37 UTC 2008

On Mon, 6 Oct 2008 04:51:01 -0700, Jeremy Chadwick <koitsu at> wrote:
>> I run my laptop with a `pf.conf' that (putting most of the comments and
>> other disabled rules for one-off tests aside) looks pretty much like:
>>   set	 block-policy drop
>>   set	 require-order yes
>>   set	 skip on lo0
>>   scrub	 in  all
>>   block	 in  all
>>   block	 out all
>>   pass	 in  quick proto icmp all
>>   pass	 out quick proto icmp all
>>   pass	 out proto { tcp, udp } all keep state
> A couple things to point out here:
> First, ICMP rules coming first (especially with "quick") might not be
> ideal; ICMP is often considered a "last resort" protocol, meaning TCP
> and UDP packets should have priority over it.  It all depends on what
> you want, but this is often the industry norm.

That's nice.

> Second, and much more importantly, if you're on RELENG_7, "keep state"
> serves no purpose here; "flags S/SA" is implicit on TCP rules, and
> "keep state" is implicit in TCP, UDP, and ICMP rules.

8.0-CURRENT so `flags S/SA' is indeed implicit.

I updated the rules to include `flags S/SA' too.  Both this part and
`keep state' are implicit now, but I like being slightly less verbose
because I tend to forget what is `default' and what is not, at the
expense of being slightly more verbose :)

> Happy firewalling!  :-)

Thanks :)

More information about the freebsd-questions mailing list