Date: Wed, 23 Jul 2008 22:21:55 +0300 From: "Ivan Petrushev" <ivanatora@gmail.com> To: "Jon Radel" <jon@radel.com> Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? Message-ID: <d39744a20807231221u11709fd0n434f05e57259375c@mail.gmail.com> In-Reply-To: <488780A6.4010807@radel.com> References: <d39744a20807231025w42fc4a99ha1e99be5fd5c76b0@mail.gmail.com> <48876DAD.9080100@optiksecurite.com> <d39744a20807231127u11df822rc2022a70b1a1af3e@mail.gmail.com> <d39744a20807231128j6641996i95ee8fec03053b6e@mail.gmail.com> <488780A6.4010807@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jon, Aaahhh, I see now - these FROM rules must be TO rules :D Thank you both for your replies. I'm going to monitor the outbond connections as well, but I think I will be OK then. This was the little stone in the shoe. I've already managed to let ICMP trough that 'block all' ;) Btw, I like the way pflog is working - deploying tcpdump on pflog0 and track down the logged packets. Is there a way to create another pflog device and use it for some different rules? I've seen there is an option to the 'log' keyword - (to pflogX), but I didn't managed to find out how to create more pflog devices. Regards, Ivan. On Wed, Jul 23, 2008 at 10:04 PM, Jon Radel <jon@radel.com> wrote: > Ivan Petrushev wrote: >> >> Hmmm, yes I'm on FreeBSD 7 >> I tried these pass rules before - nothing gets logged. >> I thought traffic is going both TO these ports and FROM these ports. >> Let's take for example a simple HTTP connection. The browser >> communicates to the remote server trough remote port 80 and says 'GET >> /index.html', then closes the connection. The HTTP server on the >> remote side opens a connection to the local machine (on some of our >> local port range)... but what is the port number on his side? I think >> that it is again 80. >> About pass in/pass out - I think that in/out keyword can be dropped? >> PF can do without that, right? >> >> These are my current filter rules, still nothing gets logged: >> ############################## >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> pass log on $if proto tcp from any to $ext_ip port $tcp_services >> pass log on $if proto udp from any to $ext_ip port $udp_services >> ############################# > > HTTP doesn't work like that. The client opens a connection from an > arbitrary port (generally high and pseudo-random) to port 80 (or 8080, or > whatever the published port the server listens on is). The server does NOT > open a connection to you. > > Your initial packet to the web server > > from YOU port NNNN > to SERVER port 80 > > never gets through your rule set so there's never a response from the server > to get logged. > > You'd do much better, if this is a workstation on which you run a webbrowser > and other clients, rather than a router/firewall, to do something like: > > pass out on $if proto tcp to any port $tcp_services flags S/SA keep state > > This allows the initial packet from your machine out and uses the PF state > mechanism (which you really, really, really should be using for reasons of > efficiency and security) to allow all further packets for that TCP > connection both in and out on that interface. > > Unless you're offering services on this computer to which you want other > machines to establish connections, you're much better off having no, or > minimal, "pass in" rules. That way people can't send you random, possibly > nasty, packets which you accept simply because they used a source port of > 80. > > --Jon Radel >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d39744a20807231221u11709fd0n434f05e57259375c>