Pf: Difference between revisions
No edit summary |
|||
| Line 40: | Line 40: | ||
# block Microsoft Calendar | # block Microsoft Calendar | ||
block in quick on $ext_if proto udp from any to any | block in quick on $ext_if proto udp from any to any port {1024 1025 1026 1027 1028 1029 1030 } | ||
# block nmap OS detection scans somewhat (-O) | # block nmap OS detection scans somewhat (-O) | ||
block in quick proto tcp flags FUP/WEUAPRSF | block in quick proto tcp flags FUP/WEUAPRSF | ||
Revision as of 15:13, 19 October 2006
If you're using the OpenBSD pf, make sure it's enabled.
# pfctl -si Status: Enabled
I've been bitten by this while debugging.
# pfctl -N -f /etc/pf.conf
This will reload the nat rules only.. often best to disable the firewall rules when testing nat, so do
# pfctl -Fr
to flush the rules, and just
# pfctl -R -f /etc/pf.conf
to use them again.
# pfctl -Fs
to flush the current nat states, just remember the existing natted connections will drop when you do this.
# pfctl -ss
to show the current nat states.
in summary, -Fn the F means to Flush. -sn the s means to show. -N and -R are to load only the Nat or filter Rules respectively.
If you're satisfied with your pf ruleset, you might be interesting in looking into ALTQ. Alternate queuing (ALTQ) is a framework that allows to shape network traffic.
helpful rules for pf.conf
These can mostly be found by logging all of your block rules and then watching with:
# tcpdump -vvv -e -ttt -i pflog0
Once you see something you want to block, usually a reoccuring sequence, you can add a block rule without log enabled.
# block Microsoft Calendar
block in quick on $ext_if proto udp from any to any port {1024 1025 1026 1027 1028 1029 1030 }
# block nmap OS detection scans somewhat (-O)
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
