[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"pf" question



Being fairly new to OpenBSD and "pf", I was wondering what is the best 
way to handle blocking everything. I've looked at online documentation 
for "pf" and the man page for "pf.conf" and it it has some default 
"block everything" rules like so:

block             out log on $ext_if           all
block             in  log on $ext_if           all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all

I was just wondering is this way the best way for blocking ports by 
using "return-rst" and "return-icmp". Rules 3-6 actually cause the 
firewall to respond back to a port probe and so I'm wondering if it 
would be better to remove rules 3-6. This would allow rule 2 to be the 
one that is matched and would make the firewall more stealth-like since 
there would be no response back.

Currently I'm seeing a number of SQL Server probes at port 1433 and it 
is rule 4 that matches all of the TCP port probes I see hitting my 
firewall.

Thanks,

Anthony

-- 
Anthony Schlemmer
aschlemm_(_at_)_attbi_(_dot_)_com

Walk softly and carry a megawatt laser.