DAve wrote:
I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports?
pf doesn't really know anything about whether there is a listener at a
particular
port or not. However, you can log suspicious traffic using a 'capture
everything'
rule, which should log and then block or drop all traffic that matches it. You
then
override that with more specific rules to allow the traffic to the services you
want
to publish on the net. [pf is a 'last matching rule wins' type firewall, so you
write
the rules in order from most generic to most specific.] Something like this:
ext_if="em0" # alter to match your hardware
set skip on lo0
set loginterface $ext_if
set state-policy if-bound
scrub in
block log all
pass in on $ext_if proto tcp from any to $ext_if port http flags S/SA keep state
[...]
(You'll need more pass rules than that -- especially to allow your host to do
things like query the DNS, allow SSH in and out, connect to remote web/ftp
sites,
etc.)
Remember to run pflogd to have the logged packets saved to disk. Be aware that
the
log output in /var/log/pflog is actually in pcap format, so you'll need to use
tcpdump -r /var/log/pflog to turn it into something human readable.
/var/log/pflog
can get recycled fairly rapidly depending on network conditions. Or you can
just
run tcpdump -i pflog0 to get a live view of rejected packets.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
