Source of closed port RST responses

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Dec 21 11:10:29 UTC 2009 

DAve wrote:

> I will be installing pf this week, I just need to write up my rule sets
> for these servers. I had been working on the webservers first. Is there
> a rule I can use to log connection attempts to closed ports?

pf doesn't really know anything about whether there is a listener at a particular
port or not.  However, you can log suspicious traffic using a 'capture everything'
rule, which should log and then block or drop all traffic that matches it.  You then
override that with more specific rules to allow the traffic to the services you want
to publish on the net. [pf is a 'last matching rule wins' type firewall, so you write
the rules in order from most generic to most specific.] Something like this:

ext_if="em0"   # alter to match your hardware

set skip on lo0
set loginterface $ext_if
set state-policy if-bound

scrub in

block log all

pass in on $ext_if proto tcp from any to $ext_if port http flags S/SA keep state

[...]

(You'll need more pass rules than that -- especially to allow your host to do
things like query the DNS, allow SSH in and out, connect to remote web/ftp sites,
etc.)

Remember to run pflogd to have the logged packets saved to disk.  Be aware that the
log output in /var/log/pflog is actually in pcap format, so you'll need to use
tcpdump -r /var/log/pflog to turn it into something human readable. /var/log/pflog
can get recycled fairly rapidly depending on network conditions.  Or you can just
run tcpdump -i pflog0 to get a live view of rejected packets.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091221/69f27251/signature.pgp

More information about the freebsd-questions mailing list