@luminwa
I would use "block log all" and "block log quick inet6 all" if your not fancy on using IPv6 right now.
Quote:
match in log on $EXT scrub (no-df)
|
Is more like this in 4.6, you can use multiple interfaces is you have more than 1 requiring ingress traffic.
Quote:
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
|
The above is also covered by "block log all" i do no use seperate rules per flagged rule, im certain there is circumstances for such but not for this cat.
Quote:
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
|
Quote:
pass out log on $EXT proto tcp from any modulate state flags S/SA
pass out log on $EXT proto { udp, icmp} from any
|
I use the following, i could be wrong but im betting that your not running OBSD 4.6? also the "from any to any" could be a bit hazardous in some situations, better to specify an interface or sometimes even an IP.
I also have a tun0 interface that i include in antispoof (and snort)
Quote:
antispoof log quick for { $LO $EXT tun0 } inet
|
About synproxy, it's for YOUR servers behind your firewall that you want to "protect" from syn packets
Quote:
TCP SYN Proxy
Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake.
The TCP SYN proxy is enabled using the synproxy state keywords in filter rules. Example:
pass in on $ext_if proto tcp from any to $web_server port www \
flags S/SA synproxy state
Here, connections to the web server will be TCP proxied by PF.
|