pf.conf

[lumiwa]

I have a "problem" with pf firewall and I don't know how to save it...

My system: FreeBSD 7.0, cable Internet, D-Link DI-604 (standalone computer). I run also pf firewall and

pfctl -s rules are:

No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
block drop in quick on ! sk0 inet from 192.168.0.0/24 to any
block drop in quick inet from 192.168.0.100 to any
block drop in log quick on sk0 all label "inblock"
pass out on sk0 inet proto tcp all flags S/SA modulate state
pass out on sk0 inet proto udp all keep state
pass out on sk0 inet proto icmp all icmp-type echoreq code 0 keep state


pf.conf:

# Macros
ext_if="sk0"
# Optimization
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo0
# NOrmalization
scrub in all
# Filtering
antispoof quick for $ext_if
# Closed from outside
block in log quick on $ext_if all label "inblock"
# Open to out
pass out on $ext_if inet proto tcp all flags S/SA modulate state
pass out on $ext_if inet proto udp all keep state
# ping out
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

/var/log/pflog has everytime something like:

Date Interface Action Rule Direction Protocol Src. address Src. port Dest. address Dest. port
2008-09-15 19:22:50.503247 sk0 drop 2 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-15 19:22:50.503257 sk0 drop 2 in udp 192.168.0.102 137 192.168.0.255 137
2008-09-15 19:22:51.252843 sk0 drop 2 in udp 192.168.0.102 137 192.168.0.255 137
2008-09-15 19:22:52.2844 sk0 drop 2 in udp 192.168.0.102 137 192.168.0.255 137
2008-09-15 19:24:20.994079 sk0 drop 2 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-15 19:31:07.487049 sk0 drop 2 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-15 19:33:20.124759 sk0 drop 2 in udp 0.0.0.0 68 255.255.255.255 67
2008-09-15 19:33:20.125243 sk0 drop 2 in udp 192.168.0.1 67 255.255.255.255 68
2008-09-15 19:33:20.125638 sk0 drop 2 in udp 0.0.0.0 68 255.255.255.255 67
2008-09-15 19:33:20.126140 sk0 drop 2 in udp 192.168.0.1 67 255.255.255.255 68
2008-09-15 19:33:24.982418 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:25.726406 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:26.477591 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:27.228664 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:27.980047 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:28.730837 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:29.481915 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:30.233010 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:31.551535 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:32.296118 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:32.524082 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:32.524177 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:33.47201 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:33.267571 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:33.267577 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:34.18655 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:34.18662 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:36.213991 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:36.962973 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:37.714053 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:38.465135 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:39.217315 sk0 drop 2 in udp 192.168.0.101 138 192.168.0.255 138
2008-09-15 19:33:39.252561 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:39.252566 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:39.997453 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:39.997460 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:40.748539 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:40.748546 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:54.449456 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:55.199743 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:33:55.950922 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:34:39.844677 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:34:40.586470 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:34:41.337554 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:42.98290 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:42.847972 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:43.2136 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:43.599052 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:43.749225 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:44.500413 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:49.829380 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:50.580947 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:51.330445 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:56.630255 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
2008-09-15 19:35:57.379338 sk0 drop 2 in udp 192.168.0.101 137 192.168.0.255 137
.....
.....

Thanks in advance.

[DutchDaemon]

You're blocking incoming traffic 'quickly'. That means that no rules below that will be parsed to check for stateful incoming traffic caused by outbound traffic. Either remove 'quick', or move the 'block in' rule below the 'pass out' rules.

[lumiwa]

Quote:

Originally Posted by DutchDaemon

You're blocking incoming traffic 'quickly'. That means that no rules below that will be parsed to check for stateful incoming traffic caused by outbound traffic. Either remove 'quick', or move the 'block in' rule below the 'pass out' rules.

Thank you very much. And what dou you think that is better to do, please?

[DutchDaemon]

In shorthand:

block all
pass out quick tcp/udp/icmp
block in quick

[lumiwa]

Quote:

Originally Posted by DutchDaemon

In shorthand:

block all
pass out quick tcp/udp/icmp
block in quick

One question more, please. Should I keep lines:

scrub in all and antispoof quick for $ext_i?

First what I did was that I move the 'block in' rule below the 'pass out' rules and I had the same "results" in /var/log/pflog.

[DutchDaemon]

The scrub rule is fine. The antispoof rule should be fine, as long as you're not on a bridge. If your machine is an 'end-point pc', you only really need a few 'pass out quick' rules, and a 'block log all' (either above or below that pass out rules) to catch unwanted incoming traffic. I'm assuming you actually reloaded your ruleset

[lumiwa]

Quote:

Originally Posted by DutchDaemon

The scrub rule is fine. The antispoof rule should be fine, as long as you're not on a bridge. If your machine is an 'end-point pc', you only really need a few 'pass out quick' rules, and a 'block log all' (either above or below that pass out rules) to catch unwanted incoming traffic. I'm assuming you actually reloaded your ruleset

Yes, I did reloaded my ruleset.,,

I have no server, it is just home, desktop computer connected through D-Link DI-604 to the cable modem. I red about pf firewall and from examples wrote mine pf.conf.
If I understand you correctly that should be enough if I had for example pf.conf like:

# Macros
ext_if="sk0"

# Optimization
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo0

# NOrmalization
scrub in all

# Filtering
# antispoof quick for $ext_if

# Open to out
pass out on $ext_if inet proto tcp all flags S/SA modulate state
pass out on $ext_if inet proto udp all keep state

# ping out
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# Closed from outside
block in log quick on $ext_if all label "inblock"

Thank you a lot.

Mitja

[DutchDaemon]

I would use a 'block log all' right below the scrub rule, just to be safe. Add quick to your 'pass out' rules to process outgoing packets quickly (instead of running through the entire ruleset every time). That should be sufficient for a 'traffic-out only desktop PC'.

[lumiwa]

Quote:

Originally Posted by DutchDaemon

I would use a 'block log all' right below the scrub rule, just to be safe. Add quick to your 'pass out' rules to process outgoing packets quickly (instead of running through the entire ruleset every time). That should be sufficient for a 'traffic-out only desktop PC'.

...and the last line which I wrote (block in log quick on $ext_if all label "inblock") I don't need to have?

Thanks a lot for your help!

[DutchDaemon]

You don't need that last line if you start with a 'block log all', right.

[lumiwa]

Quote:

Originally Posted by DutchDaemon

You don't need that last line if you start with a 'block log all', right.

Thank you very much for your help and ou patience with me...

BTW: I have still so many same logs:

....
2008-09-19 18:13:58.368186 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-19 18:15:58.103199 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-19 18:18:38.563605 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-19 18:19:59.907551 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138
2008-09-19 18:23:38.590511 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138
....

[J65nko]

Quote:

Originally Posted by lumiwa

2008-09-19 18:13:58.368186 sk0 drop 0 in udp 192.168.0.102 138 192.168.0.255 138

Those are Windows NetBIOS broadcasts

Code:

$ grep 138 /etc/services                                       
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp

$ grep 137 /etc/services  
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp

They are quite normal for Dos/Windows boxes to spit out regularly