2

For a freebsd pf firewall; I want it to block packets for non established connections. For example , the attacker should not send Reset packets for an unknown not-yet-established connection.

In Linux it is easy to do

-d targethost -m state --state NEW -j ACCEPT
-m state --state RELATED,ESTABLISHED -j ACCEPT

This will allow new state establishments and block any other thing except for packets for the established state (ESTABLISHED)

I think freebsd pf should also work like this. Does pf has anything such? Do you think the ruleset below should allow Reset packets for a nonestablished connection?

# pfctl -sr -vvv
@0 pass in log (all) quick from <administrators:4> to any flags S/SA synproxy state
  [ Evaluations: 423       Packets: 0         Bytes: 0           States: 4     ]
  [ Inserted: uid 0 pid 25567 State Creations: 4     ]
@1 block drop log (all) quick inet6 all
  [ Evaluations: 419       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25567 State Creations: 0     ]
@2 block drop log (all) quick from <blacklist:0> to any
  [ Evaluations: 419       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 25567 State Creations: 0     ]
@3 pass log (all) quick all flags S/SA keep state
  [ Evaluations: 419       Packets: 103       Bytes: 10941       States: 15    ]
  [ Inserted: uid 0 pid 25567 State Creations: 19    ]

tcpdump -i pflog0 does not sat aything(pass or block) accepting packets for Reset packets destined for a host behind the firewall.

seaquest
  • 698
  • 2
  • 12
  • 25

1 Answers1

2

From the OpenBSD pf docs:

All pass rules automatically create a state entry when a packet matches the rule. This can be explicitly disabled by using the no state option.

So you're already stateful.

And to clarify, FreeBSD occasionally ports pf over from OpenBSD, so their documentation applies for core features.

Royce Williams
  • 1,362
  • 8
  • 16