PF Does pf have any particular support for filtering SCTP traffic?

Q

QuesoGrande

Does pf offer any particular support or filtering SCTP traffic? If so can someone point me to documentation supporting it? I can find a lot of material about the protocol, but do no find anyting related specifically to pf.

Thanks,
QG
 
KristofProvost -

That is what I was afraid of. Can it at least block any incoming overtures from outside my network ... say by means of a 'block all' on a wan connection? Or is that just the breaks of the game?
 
Thanks be to 'getopt' for that suggestion. I would vote for it, at least until some support might someday be made available. I am engineer enough and administrator enough to use it, but not developer enough to add it to the existing code base. Sigh!
 
If the SCTP kernel module is not loaded there will be no SCTP packets accepted. While the GENERIC kernel can load SCTP you can configure custom kernels without the option.
 
QuesoGrande said:
KristofProvost -

That is what I was afraid of. Can it at least block any incoming overtures from outside my network ... say by means of a 'block all' on a wan connection? Or is that just the breaks of the game?
Click to expand...
You can block the protocol entirely, yes. That doesn't require any SCTP support in pf. All it needs to know how to do (and it does know how to do this) is look for the protocol number in the IP/IPv6 header.

block all protocol sctp should work just fine.
 
getopt said:
If the SCTP kernel module is not loaded there will be no SCTP packets accepted. While the GENERIC kernel can load SCTP you can configure custom kernels without the option.
Click to expand...
Even without the SCTP module loaded the machine would still forward SCTP traffic, so know your setup before relying on not loading the module.
 
Kristof Provost said:
We don't typically list the things we do not support, so no.
Click to expand...
Well, that makes sense typically for manuals. But from a handbook I'd expect teaching and hinting.

I'm quite thankful to this thread as it is a sort of eye opener. But now to PF Packet Filter:

The list of protocols in /etc/protocols is impressive. The question is of course which protocols PF can handle and which not. And how to block protocols that PF cannot handle. I'd expect that information in a handbook.

But as we cannot wait until there is written a more elaborate section in our FreeBSD handbook, on that we are so proud, I like to ask how a pf.conf can be hardened so that existing but not wanted protocols get blocked?

Is block all protocol sufficcient to block all protocols? Or must every protocol be named that can be found in /etc/protocols?
 
Last edited:
Getopt-

Thanks for the link to Bugzilla. I shall look into using it sooner rather than later. Right now I am putting some thought into what to report and ask for as some good points on both sides of the matter have emerged from this thread. I am hoping to find a suitable mid-ground position for the request to take account of them all since I see validity in both sides of the discussion. Now all I need is a little while without disasters to put some effort into this.

KristofProvost-

What would you think of either making the GENERIC kernel not support SCTP by default but having to enable it at boot time if you need it. This would avoid having to build a custom kernel, which in my experience seems to invite problems. Or making it controllable through sysctl variables to enable or disable as needed?

I did not find any sysctl variables that control SCTP. Are there any or did I just manage to miss them?

Thanks to you both for insightful comments and discussion. I appreciate it a lot!!

QG
 
QuesoGrande said:
What would you think of either making the GENERIC kernel not support SCTP by default but having to enable it at boot time if you need it. This would avoid having to build a custom kernel, which in my experience seems to invite problems. Or making it controllable through sysctl variables to enable or disable as needed?
Click to expand...
I don't maintain SCTP, so you'd have to talk to the SCPT maintainer.
 
getopt said:
Is block all protocol sufficcient to block all protocols? Or must every protocol be named that can be found in /etc/protocols?
Click to expand...
Wouldn't "blocking all protocols" be the same as "block all"? Doesn't every IP packet on the wire have a protocol field?
Wouldn't starting with a "default deny in" on WAN block any traffic originating from the outside, then you'd add pass rules for the specific traffic you want? I'm assuming here is that you'd do default allow all out keep state so the return traffic would be allowed.
 
You must log in or register to reply here.
Back
Top