Re: pf states

Thanks a lot for the tips, will keep them in mind.

I have seen those states on port 53 for udp.

p.s. pf works like a charm.... just for the interest, i looked into
/etc/rc.firewall and i was just terrified by it. pf looks like a
breath of fresh air.

On 7/31/06, Darrin Chandler <dwchandler@xxxxxxxxxxxxx> wrote:
On Sun, Jul 30, 2006 at 09:33:15PM +0000, Ivan Levchenko wrote:
> Thanks, i have "some knowledge" of these things (at least i have been
> reading the man pages for pf and altq, and the openbsd pf faq =) ..
>
> like always ... there is still more reading ahead.
>
> thanks.

The thing that I forgot to mention is that pf tries to keep state for
udp and icmp, even though these are not strictly stateful protocols. So
there are "state" entries that you will not find any information about
if you go read about icmp or udp.

For instance, if you have a default "block in" rule, but a "pass out
icmp keep state" and you send out a ping (icmp echo-request) then pf
will create a state waiting for the echo reply and let it in. The same
goes for udp, which is often seen on port 53 for DNS.

It's good that you want to know what is going on and are learning. Too
many people do not.

--
Darrin Chandler | Phoenix BSD Users Group
dwchandler@xxxxxxxxxxxxx | http://bsd.phoenix.az.us/
http://www.stilyagin.com/ |



--

Best Regards,

Ivan Levchenko
Manager of Programming department
levchenko.i@xxxxxxxxx
ilevchenko@xxxxxxxxxxxxxxxx
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: nmap and icmp-replies
    ... Since UDP is stateless, it's the only way a stack can "tell" a port is closed/filtered. ... Even if you send a packet to an open UDP Port, depending on the protocol your scanner has to send a valid payload to get an answer. ... If your target sends ICMP Dest-Unrecheachables, ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)
  • RE: Simple Scan
    ... ping!= information about a particular port. ... The icmp protocol operates at a higher level than a specific tcp or udp ... Think of ICMP as a scooter, udp as a sports car and tcp as a SUV. ... scan networks/hosts that block ping packets. ...
    (Security-Basics)
  • Re: IPFW rules > ports still open!
    ... >add 615 allow tcp from any to MY_IP 22,5618,10000 ... >add 650 allow udp from any to MY_IP ... >add 800 allow icmp from any to MY_IP ... >example I can't access the service that's behind port 22 on MY_IP. ...
    (FreeBSD-Security)
  • Re: Distributed ICMP/UDP scan or attack?
    ... Looks to me like a ping followed by a UDP connect. ... configured to ping first and use ten decoys. ... icmp at your firewall is a good way mitigate blind ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: G8 vs. G4C chess Match
    ... ICMP type 8, usually answered with a "pong" or ICMP echo reply, ICMP ... It's nothing to do with UDP. ... contain a destination port, UDP headers do. ... if you've no connection with the machine being scanned. ...
    (uk.radio.amateur)