View Single Post
  #7   (View Single Post)  
Old 13th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,907

Originally Posted by nekoneko View Post
Sorry, I probably didn't use very clear terminology. By listening, I meant listening and potentially accepting connections on running services.
You misunderstood, then.

All traffic is inspected for rule matching -- to an extent. There is optimization, of course. If PF does not need to inspect, it does not. As when stateful traffic is passed, matching traffic is not inspected again while the state remains established.

Yes, you can configure PF so that your em0 traffic is blocked from services on the router. Let's look at this example:
pass in on em0 proto {tcp udp icmp} to any
block in on em0 to self
The first rule permits three protocols to be passed inbound to the gateway, headed anywhere at all. The second rule blocks inbound traffic of all protocols destined to the gateway itself. In PF, unless the quick option is used, the last matching rule wins. So in this example, individual inbound packets are inspected, and if they are of the three protocols, the pass will match. Then, the packets are tested against the block rule. If the destination is the gateway itself, the block will match. Whichever was the last matching rule for that packet will apply. All inbound traffic to "self" will be blocked. TCP/UDP/ICMP traffic to other destinations will pass. And any inbound packets of protocols other than TCP/UDP/ICMP would not match the pass rule, but they might match the block rule, if the gateway were their destination.
For example, if I were setting up a router using iptables...
These packet filtering tools are quite different from one another.

While you may or may not be able to do exactly the same sorts of filtering with each tool ... if I understood this use case, yes, you can easily prevent em0 traffic from reaching any services on the gateway other than SSH, while still permitting unfettered access to the Internet.


Unrelated to your question, but ... a thought on best practices:

You do not trust the platforms on em0 to permit them access to services on your gateway. Are any of the machines on em0 Windows platforms? I ask, because you are granting em0 unfettered outbound access to the Internet.

If this were my network, and there were Windows platforms on em0, I would want to control traffic to ports 25 and 587 to prevent spambots, and I would want control of unsolicited outbound TCP and UDP traffic on non-standard ports, in order to limit access to bot C&C servers. That won't stop C&C to bot servers that use standard ports, of course.

Last edited by jggimi; 13th August 2012 at 01:00 PM. Reason: clarity
Reply With Quote