Date: Sat, 31 Oct 2009 17:52:15 -0400 From: Tom Uffner <tom@uffner.com> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 266, Issue 4 Message-ID: <4AECB18F.30106@uffner.com> In-Reply-To: <3350817.188221257022804727.JavaMail.root@zimbra-store> References: <3350817.188221257022804727.JavaMail.root@zimbra-store>
next in thread | previous in thread | raw e-mail | index | archive | help
Nico De Dobbeleer wrote:
> # this should block OS fingerprints??
> block in log quick proto tcp flags FUP/WEUAPRSF
> block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
> block in log quick proto tcp flags SRAFU/WEUAPRSF
> block in log quick proto tcp flags /WEUAPRSF
> block in log quick proto tcp flags SR/SR
> block in log quick proto tcp flags SF/SF
>
> # thwart nmap scans
> block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
> block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
>
> Any idea's?
yeah. replace all of the strange flag combinations with a simple
"block log all" rule.
get basic firewall functionality working first, then add the fancy
stuff back one rule at a time & test to see what breaks.
and when adding the above rules, think about whether you really
want "quick". i'm amazed that any TCP gets through that ruleset
in either direction.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AECB18F.30106>