[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: strange results with pf

To: tech@openbsd.org
Subject: Re: strange results with pf
From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
Date: 20 Aug 2003 11:13:59 +0200
References: <200308200838.h7K8cGtj002138@mx.ecom-it.ru>

If i'm right:

block return-rst in inet proto tcp all

You don't close the tcp connection at all and then nmap says it's a open
port.

I'm not sure but i think that rule it is.

On Wed, 2003-08-20 at 10:38, Alexei G. Malinin wrote:
> Hello!
> 
> 
> Recently I configured pf on my mail gateway (patched OpenBSD-3.3
> RELEASE) as follows:
> --------------
> # pfctl -s all
> scrub in all fragment reassemble
> block drop all
> block return-icmp(proto-unr) in inet all
> block return-icmp(port-unr) in inet proto udp all
> block return-rst in inet proto tcp all
> pass in quick on lo0 inet all
> pass out quick on lo0 inet all
> block drop in quick inet from 224.0.0.0/4 to any
> block drop in quick inet from 240.0.0.0/4 to any
> block drop in quick inet from 0.0.0.0/8 to any
> block drop in quick inet from 192.0.2.0/24 to any
> block drop in quick inet from 169.254.0.0/16 to any
> block drop in quick inet from 198.18.0.0/15 to any
> block drop in quick inet from 127.0.0.0/8 to any
> block drop in quick inet from any to 224.0.0.0/4
> block drop in quick inet from any to 240.0.0.0/4
> block drop in quick inet from any to 0.0.0.0/8
> pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
> smtp flags S/SA keep state (max 4096)
> pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
> ssh flags S/SA keep state (max 17)
> pass in quick on fxp0 inet proto udp from any to 192.168.150.13 port
> 33433 >< 33690 keep state (max 127)
> pass in quick on fxp0 inet proto icmp from any to 192.168.150.13
> icmp-type echoreq code 0 keep state (max 127)
> pass out quick on fxp0 inet proto tcp from 192.168.150.13 to any flags
> S/SA keep state
> pass out quick on fxp0 inet proto udp from 192.168.150.13 to any keep state
> pass out quick on fxp0 inet proto icmp from 192.168.150.13 to any
> icmp-type echoreq code 0 keep state
> icmp 192.168.150.13:63312 <- 192.168.150.254:63312 0:0
> [cut]
> Status: Enabled for 0 days 18:42:44 Debug: None
> 
> State Table Total Rate
> current entries 197
> searches 9738453 144.6/s
> inserts 665295 9.9/s
> removals 665098 9.9/s
> Counters
> match 4421401 65.6/s
> bad-offset 0 0.0/s
> fragment 0 0.0/s
> short 426 0.0/s
> normalize 36 0.0/s
> memory 0 0.0/s
> tcp.first 3600s
> tcp.opening 900s
> tcp.established 432000s
> tcp.closing 3600s
> tcp.finwait 600s
> tcp.closed 180s
> udp.first 60s
> udp.single 30s
> udp.multiple 60s
> icmp.first 20s
> icmp.error 10s
> other.first 60s
> other.single 30s
> other.multiple 60s
> frag 30s
> interval 10s
> states hard limit 10000
> frags hard limit 5000
> ---------------------
> 
> After that I checked that smtp, ssh, ping, traceroute worked and
> scanned this host with nmap:
> -------------------------------
> # nmap -sO -v -r 192.168.150.13
> -------------------------------
> 
> nmap said that all protocols are open (??).
> I looked at tcpdump output made during the scan -
> there were no icmp "proto-unr" packets (??!).
> 
> Can anybody explain me such behaviour of pf?
> I expected to find icmp "proto-unr" in the tcpdump output.

Follow-Ups:
- Re: strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>

References:
- strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>

Prev by Date: strange results with pf
Next by Date: Re: strange results with pf
Prev by thread: strange results with pf
Next by thread: Re: strange results with pf
Index(es):
- Date
- Thread