pf vs. RST attack question

Jeremy Chadwick koitsu at FreeBSD.org
Mon Oct 6 11:51:03 UTC 2008 

On Mon, Oct 06, 2008 at 02:33:38PM +0300, Giorgos Keramidas wrote:
> On Mon, 6 Oct 2008 00:26:11 -0700, Jeremy Chadwick <koitsu at freebsd.org> wrote:
> > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote:
> >> block drop all
> >>
> >> looks fairly magical to me.  Stick that at the top of your ruleset as
> >> your default policy, add more specific rules beneath it to allow the
> >> traffic you do want to pass, and Robert is your Mother's Brother.  No
> >> more floods of RST packets.
> >
> > This is incredibly draconian.  :-)  I was trying my best to remain
> > realistic.
> 
> Yes this is a bit draconian, but it is also pretty ``realistic'', as in
> ``it works fine if all you need is a very basic, but strict firewall''.
> 
> I run my laptop with a `pf.conf' that (putting most of the comments and
> other disabled rules for one-off tests aside) looks pretty much like:
> 
>   set	 block-policy drop
>   set	 require-order yes
>   set	 skip on lo0
>   scrub	 in  all
>   block	 in  all
>   block	 out all
>   pass	 in  quick proto icmp all
>   pass	 out quick proto icmp all
>   pass	 out proto { tcp, udp } all keep state

A couple things to point out here:

First, ICMP rules coming first (especially with "quick") might not be
ideal; ICMP is often considered a "last resort" protocol, meaning TCP
and UDP packets should have priority over it.  It all depends on what
you want, but this is often the industry norm.

Second, and much more importantly, if you're on RELENG_7, "keep state"
serves no purpose here; "flags S/SA" is implicit on TCP rules, and "keep
state" is implicit in TCP, UDP, and ICMP rules.

If you're using RELENG_6, then your above rules have a serious problem:
you're tracking state for all outbound packets regardless of flags, and
not just initial setup (SYN).  This is Very Bad(tm).  In that case, you
should use these rules instead:

  pass out proto tcp all flags S/SA keep state
  pass out proto udp all keep state
  pass out proto icmp all keep state

I've never gotten a definite answer as to what happens if you use "flags
S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol.
That's why I split them up per protocol on RELENG_6 boxes.

Happy firewalling!  :-)

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list