Hi
I recently configured my server with PF.
Server: FreeBSD
Services: qmail (Mail Server), Apache, PHP, and MySQL (Web Server) and BIND (DNS Server)
Firewall: Packet Filter (PF)
My PF has a file called spammers (/etc/spammers) which I use to block IP addresses that are trying to attack my machine.
/etc/spammers:
The problem is this:
I craft the packet from my desktop machine
source IP: 172.16.11.163
destination IP addrss: 172.16.11.180 (My Server IP)
No pay load
When I send that packet out my firewall passing it through (I have a rule that says to block that IP address). Now question is how to block that kind of packets? (Are those packet can be harmful to the machine, DDoS, ...)? I believe that IPFilter calls those packet SHORT packets and there is keyword (Short) to block those (I could be wrong).
NOTE: I checked
Here is PF log file:
PF Rules:
Thanks
Mark
I recently configured my server with PF.
Server: FreeBSD
Services: qmail (Mail Server), Apache, PHP, and MySQL (Web Server) and BIND (DNS Server)
Firewall: Packet Filter (PF)
My PF has a file called spammers (/etc/spammers) which I use to block IP addresses that are trying to attack my machine.
/etc/spammers:
Code:
172.16.51.67
172.16.51.160
172.16.51.163
172.16.11.163I craft the packet from my desktop machine
source IP: 172.16.11.163
destination IP addrss: 172.16.11.180 (My Server IP)
No pay load
When I send that packet out my firewall passing it through (I have a rule that says to block that IP address). Now question is how to block that kind of packets? (Are those packet can be harmful to the machine, DDoS, ...)? I believe that IPFilter calls those packet SHORT packets and there is keyword (Short) to block those (I could be wrong).
NOTE: I checked
pfctl -t spammers -T show to make sure that the table loads successfully or not.Here is PF log file:
tcpdump -n -e -ttt -r /var/log/pflog
Code:
00:00:00.000000 rule 4294967295/3(Short): pass in on bge0: 172.16.11.163>172.16.11.180:[|tcp]PF Rules:
Code:
ext_if = "bge0"
web_server = "172.16.11.180"
dns_server = "172.16.11.180"
mail_server = "172.16.11.180"
ssl_server = "172.16.11.180"
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spammers> persist file "/etc/spammers"
set skip on lo0
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 random-id no-df
antispoof log quick for $ext_if
block in all with short
block in log quick on $ext_if from <spammers> to any
#block in quick on $ext_if from any os unknown
pass in on $ext_if proto tcp from any to $web_server port 80 flags S/SA synproxy state
pass in on $ext_if proto udp from any to $dns_server port 53
pass in on $ext_if proto tcp from any to $mail_server port 25 flags S/SA keep state
pass in on $ext_if proto tcp from any to $ssl_server port 443 flags S/SA keep state
#pass out on $ext_if proto {tcp udp icmp} from (bge0) to any flags S/SA keep state
#Try to block nmap scans
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
#try to block OS detection
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SFThanks
Mark
