View Single Post
  #2   (View Single Post)  
Old 12th January 2010
There0 There0 is offline
Join Date: Jul 2008
Posts: 170


block all
I would use "block log all" and "block log quick inet6 all" if your not fancy on using IPv6 right now.

scrub in all
match in log on $EXT scrub (no-df)
Is more like this in 4.6, you can use multiple interfaces is you have more than 1 requiring ingress traffic.

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
The above is also covered by "block log all" i do no use seperate rules per flagged rule, im certain there is circumstances for such but not for this cat.

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass out log on $EXT proto tcp from any modulate state flags S/SA
pass out log on $EXT proto { udp, icmp} from any
I use the following, i could be wrong but im betting that your not running OBSD 4.6? also the "from any to any" could be a bit hazardous in some situations, better to specify an interface or sometimes even an IP.

I also have a tun0 interface that i include in antispoof (and snort)
antispoof log quick for { $LO $EXT tun0 } inet
About synproxy, it's for YOUR servers behind your firewall that you want to "protect" from syn packets

Normally when a client initiates a TCP connection to a server, PF will pass the handshake packets between the two endpoints as they arrive. PF has the ability, however, to proxy the handshake. With the handshake proxied, PF itself will complete the handshake with the client, initiate a handshake with the server, and then pass packets between the two. The benefit of this process is that no packets are sent to the server before the client completes the handshake. This eliminates the threat of spoofed TCP SYN floods affecting the server because a spoofed client connection will be unable to complete the handshake.

The TCP SYN proxy is enabled using the synproxy state keywords in filter rules. Example:

pass in on $ext_if proto tcp from any to $web_server port www \
flags S/SA synproxy state
Here, connections to the web server will be TCP proxied by PF.
The more you learn, the more you realize how little you know ....

Last edited by There0; 12th January 2010 at 02:15 PM.
Reply With Quote