[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Getting port scans while I would think that the system that is sc anned is not reachable because of my pf rules


I have the following situation, OpenBSD 3.6 is my Front-Firewall, the NIC on
the Internet side is FXP0
On the inside I have a NIC called XL0 which is connected to a Back-Firewall
(cross cable).

I only want traffic going to the internet if it was setup/requested by the
back-firewall first (statefull of course).

Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet

So, i have this : 

# pfctl -s rules
scrub in all fragment reassemble
block drop in all
block drop out all
block return-rst in on fxp0 inet proto tcp from any to any port = auth

pass in on xl0 inet from <ip back firewall> to any
pass out on xl0 inet from any to <ip back firewall>

pass out on fxp0 proto tcp all flags S/SA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state

Now, my back-firewall still tells me that it is getting port scans from the
Internet, but i would think the system would not be reachable at all because
I block everything in that direction unless it was setup first ? 
Both systems do have a internet ip address, devided by subnetting. So there
is no NAT being done.

What am I missing here ? Why do port scans still reach my internal Firewall


Visit your host, monkey.org