pf firewall shows ports are open?
Andrei Kolu
antik at bsd.ee
Tue Oct 24 11:27:41 PDT 2006
Hello all!
I got strange problem here, looks like I am dumb enough to understand this.
My current PF rules:
------------------------------------------------------------------------------------------
pfctl -sa
FILTER RULES:
scrub in all fragment reassemble
block drop all
block drop in from no-route to any
pass out inet proto icmp all icmp-type echoreq keep state
pass in proto tcp from any to any port = http flags S/SA synproxy state
pass on nve0 proto icmp all
pass out on nve0 proto tcp from (nve0) to any keep state
pass out on nve0 proto udp from (nve0) to any keep state
pass in on nve0 proto tcp from any to (nve0) port = http keep state
block drop on nve0 from <blacklist> to any
No queue in use
------------------------------------------------------------------------------------------
why nmap shows me that these ports are open? I can't connect with ssh because
it is blocked I guess, then why I see it here?
------------------------------------------------------------------------------------------
nmap 192.168.2.100
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-10-24 21:23 EEST
Interesting ports on 192.168.2.100:
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
Nmap finished: 1 IP address (1 host up) scanned in 14.412 seconds
------------------------------------------------------------------------------------------
original config file is here:
. /etc/rc.subr
name="pf_rules"
rcvar=`set_rcvar`
start_cmd="create_rules"
required_files="$pf_rules"
create_rules ()
{
echo "Creating $pf_rules."
echo "set skip on { lo0 }" > $pf_rules
echo "scrub in all" >> $pf_rules
echo "block drop all" >> $pf_rules
# block anything coming from source we have no back routes for
echo "block in from no-route to any" >> $pf_rules
# echo "pass quick on all" >> $pf_rules
echo 'table <blacklist> persist file "/etc/blacklist"' >> $pf_rules
echo "pass out inet proto icmp all icmp-type echoreq keep state" >>
$pf_rules
echo "pass in proto tcp from any to any port www flags S/SA synproxy
state" >> $pf_rules
for inf in `ifconfig -l` ; do
if `echo $inf | egrep -v 'lo|plip|gif|tun|pfsync'
1>/dev/null` ; then
echo "pass on $inf proto icmp all" >> $pf_rules
# Allow all outgoing traffic
echo "pass out on $inf proto { tcp,udp } from ($inf)
to any keep state" >> $pf_rules
# Check if we have a /etc/pf.inports file, and open those ports
if [ -e "/etc/pf.inports" ]
then
for PORT in `cat /etc/pf.inports | grep "^udp: " | cut -d " " -f 2`
do
echo "pass in on $inf proto udp from any to ($inf) port $PORT keep
state" >> $pf_rules
done
fi
if [ -e "/etc/pf.inports" ]
then
for PORT in `cat /etc/pf.inports | grep "^tcp: " | cut -d " " -f 2`
do
echo "pass in on $inf proto tcp from any to ($inf)
port $PORT keep state" >> $pf_rules
done
fi
# Deny all from our blacklist
echo "block on $inf from <blacklist> to any" >>
$pf_rules
fi
done
}
load_rc_config $name
run_rc_command "$1"
More information about the freebsd-pf
mailing list