Re: strange results with pf
This is a discussion on Re: strange results with pf within the mailing.openbsd.tech forums, part of the OpenBSD category; --> If i'm right: block return-rst in inet proto tcp all You don't close the tcp connection at all and ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 07:32 AM
| ||||
| ||||
 Re: strange results with pf If i'm right: block return-rst in inet proto tcp all You don't close the tcp connection at all and then nmap says it's a open port. I'm not sure but i think that rule it is. On Wed, 2003-08-20 at 10:38, Alexei G. Malinin wrote: > Hello! > > > Recently I configured pf on my mail gateway (patched OpenBSD-3.3 > RELEASE) as follows: > -------------- > # pfctl -s all > scrub in all fragment reassemble > block drop all > block return-icmp(proto-unr) in inet all > block return-icmp(port-unr) in inet proto udp all > block return-rst in inet proto tcp all > pass in quick on lo0 inet all > pass out quick on lo0 inet all > block drop in quick inet from 224.0.0.0/4 to any > block drop in quick inet from 240.0.0.0/4 to any > block drop in quick inet from 0.0.0.0/8 to any > block drop in quick inet from 192.0.2.0/24 to any > block drop in quick inet from 169.254.0.0/16 to any > block drop in quick inet from 198.18.0.0/15 to any > block drop in quick inet from 127.0.0.0/8 to any > block drop in quick inet from any to 224.0.0.0/4 > block drop in quick inet from any to 240.0.0.0/4 > block drop in quick inet from any to 0.0.0.0/8 > pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port = > smtp flags S/SA keep state (max 4096) > pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port = > ssh flags S/SA keep state (max 17) > pass in quick on fxp0 inet proto udp from any to 192.168.150.13 port > 33433 >< 33690 keep state (max 127) > pass in quick on fxp0 inet proto icmp from any to 192.168.150.13 > icmp-type echoreq code 0 keep state (max 127) > pass out quick on fxp0 inet proto tcp from 192.168.150.13 to any flags > S/SA keep state > pass out quick on fxp0 inet proto udp from 192.168.150.13 to any keep state > pass out quick on fxp0 inet proto icmp from 192.168.150.13 to any > icmp-type echoreq code 0 keep state > icmp 192.168.150.13:63312 <- 192.168.150.254:63312 0:0 > [cut] > Status: Enabled for 0 days 18:42:44 Debug: None > > State Table Total Rate > current entries 197 > searches 9738453 144.6/s > inserts 665295 9.9/s > removals 665098 9.9/s > Counters > match 4421401 65.6/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 426 0.0/s > normalize 36 0.0/s > memory 0 0.0/s > tcp.first 3600s > tcp.opening 900s > tcp.established 432000s > tcp.closing 3600s > tcp.finwait 600s > tcp.closed 180s > udp.first 60s > udp.single 30s > udp.multiple 60s > icmp.first 20s > icmp.error 10s > other.first 60s > other.single 30s > other.multiple 60s > frag 30s > interval 10s > states hard limit 10000 > frags hard limit 5000 > --------------------- > > After that I checked that smtp, ssh, ping, traceroute worked and > scanned this host with nmap: > ------------------------------- > # nmap -sO -v -r 192.168.150.13 > ------------------------------- > > nmap said that all protocols are open (??). > I looked at tcpdump output made during the scan - > there were no icmp "proto-unr" packets (??!). > > Can anybody explain me such behaviour of pf? > I expected to find icmp "proto-unr" in the tcpdump output.      |
Linear Mode
