From owner-freebsd-questions Mon Nov 19 20:57:34 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 724A937B405 for ; Mon, 19 Nov 2001 20:57:31 -0800 (PST) Received: from sdn-ar-007dcwashp251.dialsprint.net ([63.178.90.141] helo=moo.holy.cow) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 1662yQ-0000BV-00 for freebsd-questions@freebsd.org; Mon, 19 Nov 2001 20:57:30 -0800 Received: by moo.holy.cow (Postfix, from userid 1001) id 2D7E850B85; Mon, 19 Nov 2001 23:58:45 -0500 (EST) Date: Mon, 19 Nov 2001 23:58:44 -0500 From: parv To: f-q Subject: need help cleaning ipf rules Message-ID: <20011119235844.A11191@moo.holy.cow> Mail-Followup-To: f-q Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i think i may have some unnecessary rules, but i can't identify them. if i "block in on tun0 from A to B", then would "block in on tun0 from B to A" be redundant? following is the list... block in from any to any block in log on tun0 from any to any head 200 block in log body quick from any to any with short block in log body quick from any to any with ipopts block in log quick from any to any with opt lsrr block in log quick from any to any with opt ssrr block in log quick from any to any with frags block in log quick proto tcp from any to any flags FUP block in log quick proto tcp from any to any flags SF/SFRA block in log quick proto tcp from any to any flags SF/SF block in log quick proto tcp from any to any flags SR/SR block in log quick proto tcp from any to any flags /SFRA # deleted rules to block attempts to connect to ssh, ftp, etc. # which i have only for statistics, as the following will block # those anyway # block in log body quick on tun0 from any to any port < 1025 group 200 # i start X with "-nolisten tcp" option, but still... # block in log body quick on tun0 from any to any port 5999 >< 6064 group 200 block in log body quick on tun0 from any to any port = 5432 group 200 # # XXX rules like these are what fattening my list; there are 15-20 # XXX "block in" like these for other offending addresses. # XXX # XXX would these in any way be helpful to delay DoS attacks # XXX and zombie making attempts? # block in log body quick on tun0 from 61.133.109.130/8 to any group 200 block in log body quick on tun0 from any to 61.133.109.130/8 group 200 block in log body quick on tun0 from 192.168.0.0/16 to any group 200 block in log body quick on tun0 from any to 192.168.0.0/16 group 200 # same for 172.16.0.0/16, 10.0.0.0/8, and 127.0.0.0/16 addresses block out from any to any block out on tun0 from any to any head 400 block out log body quick on tun0 from any to 192.168.0.0/16 group 400 block out log body quick on tun0 from 192.168.0.0/16 to any group 400 # same for 172.16.0.0/16 and 127.0.0.0/16 addresses pass out quick on tun0 proto udp from 10.0.0.1 to any port = 53 keep state group 400 pass out log or-block quick on tun0 proto udp from 0.0.0.0 to any port 33433 >< 33465 keep state group 400 pass out quick on tun0 proto tcp from 0.0.0.0 to any keep state group 400 pass out quick on tun0 proto udp from 0.0.0.0 to any keep state group 400 pass out log or-block quick on tun0 proto icmp from 0.0.0.0 to any icmp-type 8 keep state group 400 ...machine is stand alone laptop, having internet connection via modem. i _need_ to be able to use ping and traceroute to outside addresses, and not _want_ same to be done to me. freebsd version is 4.4-stable-20011003. any other insight will be much appreciated. thanks much. - parv ps: yes, i have gone thru' manpages & obfuscate.org's document. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message