Keeping /var/log/pflog clean from NetBIOS and SSID junk

[J65nko]

On a single NIC box with a recently installed OpenBSD 4.7 beta snapshot, which I use as workstation, I created a simple pf.conf.

Code:

# $Id: pf.conf,v 1.3 2010/02/10 06:12:57 j65nko Exp $

#EXT=fxp0

table <ftp_sites> { \
        ftp.openbsd.org \
        ftp.eu.openbsd.org \
        anga.funkfeuer.at \
        ftp.wu-wien.ac.at \
        ftp.nluug.nl }

# -- sysctls
# net.inet.ip.porthifirst=49152
# net.inet.ip.porthilast=65535

FTPfirst = 49152
#FFTPlast = 65535

TCPservices= "{ domain www https smtp whois ftp ssh }"
UDPservices= "{ domain ntp }"

set block-policy return
set skip on lo

# --- OUTGOING services: TCP
pass out quick on egress inet proto tcp from egress to any port $TCPservices
pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst

# -- OUTGOING services: UDP
pass out quick on egress inet proto udp from egress to any port $UDPservices

# -- OUTGOING services: ICMP
# allow 'ping' and 'traceroute -P icmp' 
pass out quick on egress inet proto icmp from any to any icmp-type echoreq

# -- INCOMING services: TCP
pass in quick on egress inet proto tcp from egress:network to egress port ssh

# -- DEFAULT policy 
block log all
# -------------------------------------------------------------------------
# use 'tcpdump -eni pflog0' to watch blocked packets in real time
# use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file 
# ------------------------------------------------------------------------

By running a tcpdump on the pflog0 device I saw a lot of messages like these:

Code:

# tcpdump -eni pflog0 

22:24:23.073955 rule 12/(match) block in on fxp0: 192.168.222.5.1900 >
		 239.255.255.250.1900: udp 354
22:33:45.692356 rule 12/(match) block in on fxp0: 192.168.222.33.138 >
		 192.168.222.255.138: udp 201
22:34:23.333412 rule 12/(match) block in on fxp0: 192.168.222.33.138 >
		 192.168.222.255.138: udp 206
22:39:11.011960 rule 12/(match) block in on fxp0: 192.168.222.5.1900 >
		 239.255.255.250.1900: udp 289

To get rid of these annoying and repeating messages, I did the following:

1. Changed set block-policy return into set block-policy drop
2. Modified the 'DEFAULT policy'
   
   Code:

   # -- DEFAULT policy 
   block return log all
   block inet proto udp from any to any port { 138 139 }
   block inet proto udp from any port 1900 to any port 1900
   # -------------------------------------------------------

If a packet neither does match an existing state, nor is allowed to create a new state, pf will try to match the packet with the block return log all rule. Of course a packet from 192.168.222.5.1900 > 239.255.255.250.1900 will match.

But does pf now send a ICMP error packet, the return, and will it log this packet and block it?

No, because pf follows a last matching rule wins strategy, as described in the pf.conf man page:

Code:

For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last.  For block and pass,
the last matching rule decides what action is taken; if no rule matches
the packet, the default action is to pass the packet.

So the 192.168.222.5.1900 > 239.255.255.250.1900 packet will be evaluated against block inet proto udp from any to any port { 138 139 }, which does not match.
But not being tired pf tries to see whether the following rule is applicable. Yes, the last rule block inet proto udp from any port 1900 to any port 1900 matches and thus will the packet be dropped.

After this modification and a reload of the ruleset:

Code:

22:54:02.967837 rule 12/(match) block in on fxp0: 192.168.222.5.1900 > 239.255.255.250.1900: udp 344
22:54:02.969619 rule 12/(match) block in on fxp0: 192.168.222.5.1900 > 239.255.255.250.1900: udp 354
22:57:45.164660 rule 12/(match) block in on fxp0: 192.168.222.33.138 > 192.168.222.255.138: udp 201
23:04:23.238220 rule 12/(match) block in on fxp0: 192.168.222.33.138 > 192.168.222.255.138: udp 206
^C
388 packets received by filter
0 packets dropped by kernel
root@vintrax[~]date
Wed Feb 10 23:54:50 CET 2010

As you can see, for nearly an hour no more pollution of the logs with neither Windows NetBIOS talk nor Netgear 'ssid' packets.

A Challenge

The new block rules expand to

Code:

# pfctl -sr
[snip]
block return log all
block drop inet proto udp from any to any port = netbios-dgm
block drop inet proto udp from any to any port = netbios-ssn
block drop inet proto udp from any port = ssdp to any port = ssdp

A more verbose view shows the evaluation counters and the number of packets affected:

Code:

# pfctl -vvsr
[snip]
@12 block return log all
  [ Evaluations: 214       Packets: 40        Bytes: 3508        States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@13 block drop inet proto udp from any to any port = netbios-dgm
  [ Evaluations: 214       Packets: 42        Bytes: 9454        States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@14 block drop inet proto udp from any to any port = netbios-ssn
  [ Evaluations: 210       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@15 block drop inet proto udp from any port = ssdp to any port = ssdp
  [ Evaluations: 210       Packets: 132       Bytes: 45507       States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]

If we would want to optimize these block rules for speed (less evaluations by pf) what are some of the possibilities?

For the forum regulars with more than 100 posts there is an embargo of three days, before these experts are allowed to respond to this challenge.

For the newcomers, don't be afraid to respond, if you don't get it right, we will be gentle with you

[mfaridi]

very nice conf ,
I want use this for my pf.conf
but I have two Lan card ,
main Lan card use valid IP and another Lan Card use invalid IP ,
my vlaid IP can see in all of the world and my invalid IP can see only in my network , How I can change this rule for mine
I run Samba and other user in my network can use my Samba .