DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th October 2009
cyanide_christ cyanide_christ is offline
New User
 
Join Date: Oct 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default PF rule to disable icmp?

Hallo guys!

My first question on this forum so be nice to me

Does somebody have an great pf rule for disable my firewall to respond
to incomming imcp requests from internet. I have tried some, but it doesn´t work.

/Cy
Reply With Quote
  #2   (View Single Post)  
Old 11th October 2009
cyanide_christ cyanide_christ is offline
New User
 
Join Date: Oct 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default

Of course it should be ICMP! sorry...
Reply With Quote
  #3   (View Single Post)  
Old 11th October 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,066
Thanked 198 Times in 156 Posts
Default

Not so difficult I would say:
Code:
block in on $ext_if inet proto icmp all
Or block all ICMP except ping:
Code:
pass in on $ext_if inet proto icmp all icmp-type echoreq keep state
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 11th October 2009
cyanide_christ cyanide_christ is offline
New User
 
Join Date: Oct 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default

Okey tnx... But were in the pf.conf would you put it? I know it should lie under the filter rules, but were in the order? I mean is there any problem by lie the rule in the end or is it supposed to be in the beginning of the filter rule section?

The file is read from top to bottom so the logic says that it should counter...

/cy
Reply With Quote
  #5   (View Single Post)  
Old 12th October 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Block and Pass normally work via "last matching rule wins". If all of your pass rules are for other protocols, then a block for ICMP may go anywhere.

If you add the "quick" parameter to a rule, if the rule matches, PF stops testing the packet and performs the block or the pass immediately.

Blocking ICMP can block proper use of TCP/IP, and cause some applications to fail.
Reply With Quote
  #6   (View Single Post)  
Old 14th October 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Talking

When you ask "where should it go", I interpret that as you haven't even begun to read the documentation. When I first tried OpenBSD with the intent of setting it up as a gateway/firewall and no prior experience with it, it took me about 2-1/2 hours. My network was online with a basic pf ruleset in place which included some port redirection and dis/allowed services. This included going through the Basic Configuration section of the PF FAQ, as well as documentation for the other services I needed running. I only say that to give you an idea of how much time it took for one person read through it.

http://www.openbsd.org/faq/pf/

Go through the Basic Config section there. It doesn't take that long, and ALL of the information there is going to be helpful, including where you put rules, which is in the very first link: Getting Started.
__________________
Mike
Reply With Quote
  #7   (View Single Post)  
Old 15th October 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,876
Thanked 190 Times in 160 Posts
Default

To compliment mikesg's assertion that reading the documentation is paramount, the OP should also take the time to read Hansteen's "Firewalling with PF" manuscript:

http://home.nuug.no/~peter/pf/

...which serves as the basis for his later work, The Book of PF.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
Disable manual fsck on startup Malakim FreeBSD General 4 2nd September 2008 05:28 PM
Disable CTRL+ALT+DEL FreeBSD Gnome mfaridi FreeBSD Security 7 27th August 2008 07:10 PM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM
Remove/disable a former system user anomie Guides 6 19th May 2008 12:37 AM


All times are GMT. The time now is 09:28 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick