[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Pf rules for Review

Daniel..and others..
Thanks for the helpful suggestions..
I did make use of macros as suggested .. looks like I need a better
understanding of ICMP..
Much Thanks
-----Original Message-----
From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx] On Behalf
Of Daniel Hartmeier
Sent: Friday, October 18, 2002 3:12 AM
To: C.Tran
Cc: pf@benzedrine.cx
Subject: Re: Pf rules for Review
On Thu, Oct 17, 2002 at 09:36:16PM -0500, C.Tran wrote:
> I think I have a good rule set but would like others to offer
> any comments or suggestions whether more restrictions
> are needed..
You're filtering on only the external interface, using a default block
policy and keeping state. That's what I'd do, and I can only find minor
1) You should move the scrub rule up, before the pass/block rules. While
   the relative order of scrub vs. pass/block rules is not relevant,
   newer versions of the parser will enforce that scrub rules come
   before pass/block to make this clear.
2) You can shorten the default block and pass on unfiltered interfaces
     # block on all interfaces by default
     block in  log all
     block out log all
     # pass on all unfiltered interfaces
     pass in  quick on { lo0, $Int0, $Int1 } all
     pass out quick on { lo0, $Int0, $Int1 } all
3) The block for spoofed addresses should probably use 'quick',
   since all packets are already blocked by default at that point.
   Note that your $spoof also contains the private addresses you're
   using internally. Outgoing (nat'ed) connections will have their
   sources already translated, so this doesn't affect them, but
   once you start using rdr, you have to remember that.
4) You could use another macro to list all allowed outgoing TCP
   ports (and one for UDP), like
   outgoing_tcp="{ www, 443, 1214 }"
   pass out on $Ext proto tcp from any to any port $outgoing_tcp \
     flags S/SA keep state
5) The 'quick' on these pass rules further down is not really
   needed, unless there are rules yet further down that can
   possibly match and either block or pass without keep state
   (which yours don't).
6) ICMP errors 'destination unreachable' and 'time exceeded', when
   referring to a statefully filtered connection, always pass
   through the state of the referred-to packet, so you don't need
   to pass them explicitely. And creating state for ICMP errors
   is futile, since there will be no replies to them. You can
   run pfctl -vsr and you'll see that those last two rules never
7) ICMP queries like 'echo request', on the other hand, might
   be worth passing with keep state, if you want to ping through
   the firewall.