pf vs. RST attack question
Jeremy Chadwick
koitsu at FreeBSD.org
Mon Oct 6 11:51:03 UTC 2008
On Mon, Oct 06, 2008 at 02:33:38PM +0300, Giorgos Keramidas wrote:
> On Mon, 6 Oct 2008 00:26:11 -0700, Jeremy Chadwick <koitsu at freebsd.org> wrote:
> > On Mon, Oct 06, 2008 at 08:19:09AM +0100, Matthew Seaman wrote:
> >> block drop all
> >>
> >> looks fairly magical to me. Stick that at the top of your ruleset as
> >> your default policy, add more specific rules beneath it to allow the
> >> traffic you do want to pass, and Robert is your Mother's Brother. No
> >> more floods of RST packets.
> >
> > This is incredibly draconian. :-) I was trying my best to remain
> > realistic.
>
> Yes this is a bit draconian, but it is also pretty ``realistic'', as in
> ``it works fine if all you need is a very basic, but strict firewall''.
>
> I run my laptop with a `pf.conf' that (putting most of the comments and
> other disabled rules for one-off tests aside) looks pretty much like:
>
> set block-policy drop
> set require-order yes
> set skip on lo0
> scrub in all
> block in all
> block out all
> pass in quick proto icmp all
> pass out quick proto icmp all
> pass out proto { tcp, udp } all keep state
A couple things to point out here:
First, ICMP rules coming first (especially with "quick") might not be
ideal; ICMP is often considered a "last resort" protocol, meaning TCP
and UDP packets should have priority over it. It all depends on what
you want, but this is often the industry norm.
Second, and much more importantly, if you're on RELENG_7, "keep state"
serves no purpose here; "flags S/SA" is implicit on TCP rules, and "keep
state" is implicit in TCP, UDP, and ICMP rules.
If you're using RELENG_6, then your above rules have a serious problem:
you're tracking state for all outbound packets regardless of flags, and
not just initial setup (SYN). This is Very Bad(tm). In that case, you
should use these rules instead:
pass out proto tcp all flags S/SA keep state
pass out proto udp all keep state
pass out proto icmp all keep state
I've never gotten a definite answer as to what happens if you use "flags
S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol.
That's why I split them up per protocol on RELENG_6 boxes.
Happy firewalling! :-)
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-questions
mailing list