> 7. okt. 2021 kl. 15:58 skrev Barbaros Bilek <barbarosb...@gmail.com>: > > Hello misc, > > I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF. > At the top of my pf.conf i've added these lines but it didn't work. > > block in quick proto tcp all flags SF/SFRA label bps1 > block in quick proto tcp all flags FPU/SFRAUP label bps3 > block in quick proto tcp all flags /SFRA label bps4 > block in quick proto tcp all flags F/SFRA label bps5 > block in quick proto tcp all flags U/SFRAU label bps6
I personally find rules that specific to be too much work to even decipher. What is it you are trying to achieve here? If you want specifically to detect port scans, I have a hunch you would be better off constructing something out of state tracking options and overload tables. That said, I have tended to generally recommend to start off your rules with a «block" (which will expand to "block drop all"), then fill in the ruleset with pass rules and whatever else you need that will let the traffic you want to allow to pass. If you search the net with the obvious keywords you will find quite a few examples that can be quite instructive (including some of my own screeds at the first URL in my .signature). All the best, Peter N. M. Hansteen — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP
