[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: Senseless Waste?
From:       Henning Brauer <henning () openbsd ! org>
Date:       2004-06-11 18:48:11
Message-ID: 20040611184811.GN19228 () skywalker ! bsws ! de
[Download RAW message or body]

* interval@softhome.net <interval@softhome.net> [2004-06-11 20:43]:
> From some other rules files I noticed while scanning the web for
> pf-concerned pages: 
> 
> # Block bad tcp flags from malicious people and nmap scans
> block in log quick on $ext_if proto tcp from any to any flags /S
> block in log quick on $ext_if proto tcp from any to any flags /SFRA
> block in log quick on $ext_if proto tcp from any to any flags /SFRAU
> block in log quick on $ext_if proto tcp from any to any flags A/A
> block in log quick on $ext_if proto tcp from any to any flags F/SFRA
> block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
> block in log quick on $ext_if proto tcp from any to any flags SF/SF
> block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
> block in log quick on $ext_if proto tcp from any to any flags SR/SR
> block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
> block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
> block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
> block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP 
> 
> Is this configuration not covered with 
> 
> set	block-policy	drop 

yes, but different ;)

> Or is there some merit to explicately filtering every flag combination?

that's what this does. However, it is stupid.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
[prev in list] [next in list] [prev in thread] [next in thread]