|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
No, it does not. In PF, the last matching rule wins.
The only incoming traffic that is blocked is remote X Terminal traffic (TCP ports 6000-6010), as this is a block that follows your completely wide open pass rule. The prior block return rule will never be applied, as it will never be the last matching rule. |
|
||||
Quote:
Code:
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo ## block return # block stateless traffic ## pass # establish keep-state block in all pass out all keep state # By default, do not permit remote connections to X11 ## block return in on ! lo0 proto tcp to port 6000:6010 Code:
PORT STATE SERVICE 51413/tcp open unknown |
|
||||
Code:
# cat /etc/pf.conf pass out all keep state block in all Code:
$ nmap 172.16.197.126 -p51413 Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-02 23:33 IST Nmap scan report for mypc.my.domain (172.16.197.126) Host is up (0.000076s latency). PORT STATE SERVICE 51413/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds |
|
||||
No.
Developing and maintaining a functional, useful PF configuration requires two skills. 1) The admin must have knowledge of how the network protocols to be governed by PF actually function, and 2) the admin must also understand how PF configuration rules are applied. If you copy and paste a ruleset provided by someone else, it won't help you to develop either of these skills. You do not appear to have a clear understanding of the protocols used by the Transmission application: Bit Torrent, and its underlying UDP and TCP protocols.For many years, Peter Hansteen - the author of The Book of PF - has travelled the world presenting PF Tutorials. He begins each and every Tutorial session by having his attendees recite this "Pledge of the Network Admin" aloud: Code:
This is my network. It is mine or technically my employer’s, it is my responsibility and I care for it with all my heart there are many other networks a lot like mine, but none are just like it. I solemnly swear that I will not mindlessly paste from HOWTOs. Edited to add: the best book I've found on networking for admins is Networking for System Administrators, by Michael W. Lucas. Last edited by jggimi; 2nd December 2017 at 06:28 PM. Reason: added a good pointer for networking education |
|
||||
Okay I will definitely read the tutorial but in the mean time I dont want to run a insecure system.
Please give me something to just get started. If thats not possible I will have to cope with it. Thanks for your reply. I remember using PF under FreeBSD only the following rules was enough Code:
pass out all keep state block in all |
|
||||
No. Instead, I'm happy to do some minimal teaching.
Question 1: What percentage of packets will be blocked by this 2-line PF configuration? Code:
block pass Code:
pass block Question 4: Both UDP and TCP connections use port numbers. In a single connection between two IP addresses, how many port numbers are involved? Why? Question 5: How does a PF pass rule with the default keep state option treat the establishment of state? How is it different between TCP and stateless protocols like UDP? ---- Answers (hidden as white text on white background below) --- 1. 0%. 2. 100% 3. Different. The last matching rule wins. 4. Two. There is a sending port number, and a receiving port number. 5. When a pass rule is matched that establishes state, the state is added to PF's state table and no rules are tested for any follow-on packets while the state remains established. TCP session teardown ends the state. Stateless protocols use timers to maintain a temporary state table entry. |
|
||||
All I am trying to achieve is deny incoming and allow outgoing. As I mentioned before that under FreeBSD a simple
Code:
pass out all keep state block in all Under Ubuntu its Code:
sudo ufw default deny Code:
sudos systemctl enable ufw Thanks for your patience. |
|
||||
Your concern is TCP port 51413, which is "open" when you have a ruleset that apparently blocks all incoming traffic. I can think of 3 possible answers:
Port 51413 is the default TCP port used by Transmission for incoming peers. To function properly, Transmission will need to pass incoming peer traffic. |
|
||||
Quote:
Code:
# pfctl -e pf enabled Code:
# pfctl -s rules block return all pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 Code:
# pfctl -s states all tcp 172.16.197.126:47111 -> 50.112.201.212:443 FIN_WAIT_2:FIN_WAIT_2 all tcp 172.16.197.126:36590 -> 95.170.82.241:80 FIN_WAIT_2:FIN_WAIT_2 all udp 172.16.197.255:138 <- 172.16.197.171:138 NO_TRAFFIC:SINGLE all udp 255.255.255.255:5678 <- 150.129.176.114:5678 NO_TRAFFIC:SINGLE all udp 172.16.197.126:36062 -> 13.126.37.14:123 MULTIPLE:SINGLE all udp 172.16.197.126:37230 -> 139.59.43.68:123 MULTIPLE:SINGLE |
|
|||
I'm using these lines in pf.conf on the PC which I'm using to post here:
block in all pass out all This does the job for now while I learn more about pf, mainly from reading the Hansteen book. The above lines and what they do are described on page 17 of the book (3rd edition). I'm just an OpenBSD noob though, so I would strongly recommend that you follow jggimi's advice and learn what these rules do before blindly copying them. |
|
|||
Quote:
Code:
set skip on lo0
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ntfs-3g: Device not configured | dc740 | OpenBSD Packages and Ports | 6 | 27th September 2014 01:11 AM |
Netgear WG111V2_2 wireless USB device not configured | AnilG | FreeBSD Installation and Upgrading | 19 | 16th June 2013 02:24 PM |
Can gmirror be configured during sysinstall? | PeterSteele | FreeBSD Installation and Upgrading | 3 | 13th November 2008 12:46 AM |
Sound missing, no configured soundcard. | tobox | FreeBSD General | 4 | 26th July 2008 12:03 AM |