hi all...
doing testing with pf...
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......
pf.conf contetns:
tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
thanks....
"pass proto udp to any port $udp" passes traffic in any direction
(ingoing and outgoing).
2010/1/22 kalin m <ka...@el.net>:
> _______________________________________________
> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
>
> how is it possible that if i have these rules below in pf.conf if i
> do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
quite strange.
What does `pfctl -s all` return?
patpro
You are in a jail and/or that.host.org is a local ip routed via lo0 ?
--
Laurent Frigault | <url:http://www.agneau.org/>
> pass out all keep state
You're allowing out the initial TCP SYN, and creating a state entry for the
connection here. You should be able to make outgoing connections anywhere
with this rule.
Once a state entry gets created, the state table will match on the traffic
for the session, and the rules list won't have to be evaluated.
J.
--
Jason V. Miller
not sure if that would affect smtp. would it? how so?
yea.. all shows a lot... which part would you like to see? i just sent
out the current rules out to the list...
# pfctl -s rules
scrub in all fragment reassemble
block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any
block drop in inet from xxx.xxx.xxx.xxx to any
block drop in all
pass out all flags S/SA keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = ntp keep state
pass inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = http flags S/FSA synproxy
state
pass in inet proto tcp from any to any port = https flags S/FSA synproxy
state
pass proto tcp from any to any port = ssh flags S/SA keep state
R�mi LAURENT wrote:
> Hi,
>
> Maybe you can give us the result of a pfctl -s rules because i don't see
> how you can have this connection.
thanks... i was under the impression that if you have everything
blocked the initial syn request will be ignored. it doesn't make sense
otherwise....