[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: some problems with pf losing state information in



Hello Timothy,
Monday, December 09, 2002, 4:17:29 PM, you wrote:
Timothy> Hi, regarding the forum posting I made to deadly.org, I made
Timothy> a cut-and-paste error with the pf.conf lines quoted in it --
Timothy> I posted the wrong lines. Sorry for that. Here is a better
Timothy> example of in and out rules for http and https traffic:
Timothy>  pass in on $ext_if proto tcp from $approved_outside_net to\
Timothy>       $www_int_ip port {www,https} keep state \
Timothy>       label "ext_if_in_$srcaddr->$dstaddr_$dstport"
Timothy>  pass in on $ext_if proto tcp from $www_int_ip port \
Timothy>       {www,https} to $approved_outside_net keep state label \
Timothy>       "ext_if_in_$srcaddr_$srcport->$dstaddr"
Timothy>  # shouldn't need this line
Shouldn't this be "pass out"?
Timothy> ==
Timothy> # explicit deny rules
Timothy> block in quick log from $blocked_net to any label
Timothy> "blocked_net_in_$srcaddr"
It's better to add the know non routable addresses here:
  NoRouteIPs="{ (rl1)/32, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,\
  10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
  204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }"
I also usually add some rule against well know scanning codes
  #Drop some port scannings
  block in quick on $ext_if inet proto tcp from any to any \
        flags FUP/FUP label "anti_scanning"
You may also want to block inet6 entirelly. But that's only if you
have it configured. I always do that, just in case someone discovers
an attack there. Tell me if I'm too paranoic or simply stupid.
  block in quick on $ext_if inet6 all
BTW,
  block in quick on $ext_if ! inet all
doesn't seems to work on my Release
  
Timothy> # local interface rules
Timothy> pass in inet from lo0 to lo0 label "lo0_if_in"
Timothy> pass out inet from lo0 to lo0 label "lo0_if_out"
It's customary to put this as "quick" at the very top, so as not to
interfere with any local traffic.
Some MTA also use ICMP Type 3 for MTU discovery. This is explained in
the http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-4.html. But I think
Daniel thinks different about the necessity of having DF set. At least
that provocated some problems with the Linux NFS, IIRC.
  pass in quick on $ExtIF inet proto icmp from any to $ExtIP \
       icmp-type $ICMPServices
  block in quick on $ExtIF inet proto icmp from any to any
Timothy> # external interface rules
Timothy> pass in on $ext_if proto tcp from $approved_outside_net to \
Timothy> $www_int_ip port {www,https} keep state label \
Timothy> "ext_if_in_$srcaddr->$dstaddr_$dstport" 
I usually also add a "flags S/SAFPRU". This improves the security of
tcp connections. Never use S because that implies S/SAFRUPEW. So since
we don't want to screw up ECN signals (I hope :-) you have to be
explicit about that. "flags S/SA" should sufice, though. You may need
to customize the timing setting. But that has already been covered.
I also add a "modulate state" if that connection is going to an NT
box. Note that this implies keep state, so you don't have to put it.
The xBSD and IOS are safe, Linux 2.2 is "safe enough", 2.4 should be
too.
Please read:
http://razor.bindview.com/publish/papers/tcpseq.html
http://lcamtuf.coredump.cx/newtcp/
You should also read:
http://www.insecure.org/nmap/idlescan.html
On why this is so important.
-- 
Best regards,
 Alejandro Belluscio