[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPfilter rules for the home/desktop (New User Question).

To: misc@openbsd.org
Subject: Re: IPfilter rules for the home/desktop (New User Question).
From: gamble <gamble@tsoft.com>
Date: Thu, 18 Jan 2001 01:54:57 -0800

Stuart:
|block in log from any to any

I'm with Seth, return-rst and return-icmp(port-unr) for sure.

block return-rst in log proto tcp from any to any
block return-icmp(dest-unr) in log proto udp from any to any

There's some homework to be done before you block incoming icmp so you
don't break mtu path discovery.

|block out log from any to any

This is of course a NOP since you "pass out" later on.

|pass out log quick proto icmp all keep state
|pass out log quick proto tcp/udp all keep state

Do you really want a state entry for every TCP packet?  I would guess,
rather, that you want a state entry for every session:

pass out log quick proto icmp all keep state
pass out log quick proto udp all keep state
pass out log quick proto tcp all flags S keep state

This is especially important if you return-rst.  You don't want a state
entry on the outgoing RST...

-- 
Ben Gamble         "It's always heartwarming to see a prejudice defeated
gamble@idiom.com                    by a deeper prejudice." -- Lone Star

References:
- IPfilter rules for the home/desktop (New User Question).
  - From: stuart <Stuart.Mackie@BTinternet.com>

Prev by Date: brconfig
Next by Date: Re: plan to install OpenBSD 2.8
Prev by thread: Re: IPfilter rules for the home/desktop (New User Question).
Next by thread: bimap on enc0 for VPN address collison prevention
Index(es):
- Date
- Thread