[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: www {80,443} && ACK's - PF Flags



alex wilkinson wrote:
Hi all,

Question: Is it a necessity to allow the TCP ACK flag for www traffic {80,443} ?

In my packet filtering rules I have explicitly masked the following flags:

FSRA

And am filtering for only SYN flags. i.e. S/FSRA.

pf's packet normalizer will take care of packets with invalid flag combinations. You should look at a "scrub" rule.


However, I am seeing the following in my logs:

rule 5/0(match): pass in on wi0: 10.0.0.30.36280 > 194.159.245.16.80:
S 1477848336:1477848336(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
rule 1/0(match): block in on tun0: 194.159.245.16.80 >
10.0.0.30.36280: S 57021312:57021312(0) ack 1477848337 win 5840 <mss
1420,nop,nop,sackOK>

These are the rules I have for www traffic:

pass in log quick on wi0 inet proto tcp from 10.0.0.0/24 to any port =
www flags S/FSRA keep state label "80"
pass in log quick on wi0 inet proto tcp from 10.0.0.0/24 to any port =
https flags S/FSRA keep state label "443"

Where are the rules that pass the return traffic in on tun0? Or, from a different point of view, where are the rules that pass the connection out on tun0 and create state?


I have been following the following doc: [http://www.inebriated.demon.nl/pf-howto], and there are examples in
there that filter for only SYN flags in a SYN+ACK mask. Which is
bizarre bec if I do that it doesn't work.

That howto is old. Three years now. You should refer to the pf.conf man page and/or the pf section in the faq (www.openbsd.org/faq/)





.joel