[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: Nat ports
From:       Justin Krejci <jus () krytosvirus ! com>
Date:       2003-07-27 16:10:08
[Download RAW message or body]

On Sunday 27 July 2003 05:41 am, Daniel Hartmeier wrote:
> On Sat, Jul 26, 2003 at 08:29:35PM -0700, Bryan Irvine wrote:
> > Is there a way to get pf to never use specific ports?  For example a
> > client on my LAN might send a request for a certain webpage which gets
> > sent to the gateway from a certain port we'll say, 43101.  The Request
> > hits the gateway and then get's changed to another source port like
> > 12754.  The problem is that 12754 will trigger a false postive in snort
> > that someone is scanning for a ddos mstream client handler. How (if
> > possible) can you create a list of ports than will never be used by pf?
>
> The default proxy port range used by pf is 50001-65535, so it won't use
> 12754.
>
> You can change the proxy port range like this
>
>   nat on $extif from 10.0.0.0/8 to any -> $extif port 20000:30000
>
> which would cause pf to use proxy ports 20000-30000 for connections
> matching this rule.
>
> Why are you running snort on the external interface, and not the
> internal one? It's an intrusion detection system, and packets that don't
> pass your firewall don't constitute an intrusion...
>
> Daniel

I am no expert but wouldn't it be nice to know if someone is running a scan or 
some sort of flood attack? If one starts to have limited bandwidth available 
all of a sudden, the nids might help uncover the reason why if it is a flood. 

-- 

PGP public key 	http://www.krytosvirus.com/public.asc
[prev in list] [next in list] [prev in thread] [next in thread]