Hi!
We are running a pretty nice commercial firewall which obviously is
based on a stripped version of OpenBSD and pf ;) (yes I know... we are
planning on switching to our own OpenBSD installation as soon as
possibly, still in the learning process though).
Anyway we get alot of warnings about connections to a valid www server
on the dmz like this:
Jan 17 19:41:01 Denied incoming WAN 83.248.186.3 1162 192.168.78.6
80 TCP flags F, seq 0, size 0 ack 1 win 65535, no frags
and this:
Jan 17 19:39:26 Denied incoming WAN 85.112.166.15 11406
192.168.78.6 80 TCP flags R, seq 1305210837, size 0 ack 2803852444 win 0
With some detetctive work I think the firewall has the following pf.conf
settings for allowing traffic to the www server (fake public ip address):
binat on $EXTIF inet from 192.168.78.6 to any -> 20.1.1.1
pass in quick on $EXTIF inet proto tcp from any to 192.178.78.6 port www
flags S/SA modulate state
I think scrub are used on the ext inferface
So now to my question: is the above denied connections correct or should
they be allowed to the www server, eg. using S/SAFR in the pass rule?
Thanks,
Johan
