From owner-freebsd-pf@FreeBSD.ORG Sat Oct 31 21:52:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91BAF1065670 for ; Sat, 31 Oct 2009 21:52:17 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id 52DA48FC0C for ; Sat, 31 Oct 2009 21:52:16 +0000 (UTC) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n9VLsRns057823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sat, 31 Oct 2009 17:54:28 -0400 (EDT) (envelope-from tom@uffner.com) Message-ID: <4AECB18F.30106@uffner.com> Date: Sat, 31 Oct 2009 17:52:15 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090925 SeaMonkey/1.1.18 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <3350817.188221257022804727.JavaMail.root@zimbra-store> In-Reply-To: <3350817.188221257022804727.JavaMail.root@zimbra-store> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd-pf Digest, Vol 266, Issue 4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 21:52:17 -0000 Nico De Dobbeleer wrote: > # this should block OS fingerprints?? > block in log quick proto tcp flags FUP/WEUAPRSF > block in log quick proto tcp flags WEUAPRSF/WEUAPRSF > block in log quick proto tcp flags SRAFU/WEUAPRSF > block in log quick proto tcp flags /WEUAPRSF > block in log quick proto tcp flags SR/SR > block in log quick proto tcp flags SF/SF > > # thwart nmap scans > block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP > block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP > > Any idea's? yeah. replace all of the strange flag combinations with a simple "block log all" rule. get basic firewall functionality working first, then add the fancy stuff back one rule at a time & test to see what breaks. and when adding the above rules, think about whether you really want "quick". i'm amazed that any TCP gets through that ruleset in either direction.