[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "pf" question

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: "pf" question
From: Han Boetes <han_(_at_)_mijncomputer_(_dot_)_nl>
Date: Tue, 24 Sep 2002 00:36:51 +0200
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
Reply-to: misc_(_at_)_openbsd_(_dot_)_org

Anthony Schlemmer (aschlemm_(_at_)_attbi_(_dot_)_com) wrote:

> Being fairly new to OpenBSD and "pf", I was wondering what is the best
> way to handle blocking everything. I've looked at online documentation
> for "pf" and the man page for "pf.conf" and it  it  has  some  default
> "block everything" rules like so:
> 
> block             out log on $ext_if           all
> block             in  log on $ext_if           all
> block return-rst  out log on $ext_if proto tcp all
> block return-rst  in  log on $ext_if proto tcp all
> block return-icmp out log on $ext_if proto udp all
> block return-icmp in  log on $ext_if proto udp all
>
> I was just wondering is this way the best way for  blocking  ports  by
> using "return-rst" and "return-icmp". Rules  3-6  actually  cause  the
> firewall to respond back to a port probe and so I'm  wondering  if  it
> would be better to remove rules 3-6. This would allow rule 2 to be the
> one that is matched and would  make  the  firewall  more  stealth-like
> since there would be no response back.

No. It is a misconception. Firewalls are just like  human  conversation.
If you don't like a question you do not ignore it. You  should  politely
decline the request. Only very annoying requests should be ignored.

You only keep portscans in mind  not  generic  traffic  from  legitimate
hosts.

Before that (i)pf had the `flags S' rule it was even possible  to  do  a
`stealth-scan' with nmap that would show the difference between  a  port
that did run a server and one that didn't.  Ie  `stealth'  would  reveal
more than a `closed' port.

IMO the only situation that stealth is benificial is when you are  being
DOS'ed. For all other situation you are just blocking normal traffic.

For example try to log on  to  any  irc-server  with  your  firewall  in
stealth mode. You will most likely have to wait for the  identd  timeout
(30 seconds) before you can connect. When your  firewall  is  in  closed
mode the log-on takes only seconds.

Cya, Han.

Follow-Ups:
- Re: "pf" question
  - From: Dave Edwards

References:
- "pf" question
  - From: Anthony Schlemmer

Prev by Date: Re: openssl
Next by Date: D-Link DFE-538 on AlphaStation 200 4/233
Previous by thread: "pf" question
Next by thread: Re: "pf" question
Index(es):
- Date
- Thread

Visit your host, monkey.org