please scan manapua.sandust.org

Sandi Schneiderman sandi at sandust.com
Wed Aug 1 21:03:05 PDT 2001 

Would someone please scan my firewall from outside for me?  I have been
making some changes to my firewall rules and want to see how they work
from outside.  It is a slow sparc5, so the scan should take a while.
Use any wierd flags and OS detection you want.

manapua.sandust.org

Thanks,
Dusty

--------here is a copy of my firewall rules---------
There is some odd redundancy, but it is there on purpose and it works.

#############################
# /etc/ipf.rules
# Dustin Cross, OpenBSD 2.8
# August 1, 2001
# ipf -Fa -f /etc/ipf.rules -E
#############################

#############################
# Begin Ruleset
#############################

# Block known problem systems to keep logs clean
# block in quick on le0 from xxx.xxx.xxx.xxx to any

# Loopback device rules
pass out quick on lo0
pass in quick on lo0

# Internal interface
pass in quick on hme0
pass out quick on hme0

# BEGIN RULES FOR PIPE TO THE WORLD

# Block frags
block in log quick on le0 all with frags

# Block short tcp packets
block in log quick on le0 proto tcp all with short

# Drop source routed packets
block in log quick on le0 all with opt lsrr
block in log quick on le0 all with opt ssrr

# Deny nmap OS fingerprint attempts
block in log quick on le0 proto tcp from any to any flags FUP

# Do not allow spoofing of private block addresses (in or out)
block in log quick on le0 from 0.0.0.0/8 to any
block in log quick on le0 from 10.0.0.0/8 to any
block in log quick on le0 from 172.16.0.0/12 to any
block in log quick on le0 from 192.168.0.0/16 to any
block out log quick on le0 from any to 0.0.0.0/8
block out log quick on le0 from any to 10.0.0.0/8
block out log quick on le0 from any to 172.16.0.0/12
block out log quick on le0 from any to 192.168.0.0/16

# Punch holes here
# Flags S/SA only allows packets with the SYN and SYNACK flags set
# This prevents many forms of portscanning such as FIN scanning
pass in log quick on le0 proto tcp from any to le0/32 port = 22 flags
S/SA
pass in log quick on le0 proto tcp from any to le0/32 port = 25 flags
S/SA
pass in quick on le0 proto tcp from any to le0/32 port = 80 flags S/SA
pass in quick on le0 proto tcp from any to le0/32 port = 443 flags S/SA

# Allow ICMP ECHO_REPLY (type 0) and ICMP TTL_EXCEEDED (type 11)
pass in log quick on le0 proto icmp from any to le0/32 icmp-type 0
pass in log quick on le0 proto icmp from any to le0/32 icmp-type 11

# Block and log specific ports to catch common types of attacks
# RETURN-RST returns reset to give the appearence of no packet filter
running and no services running
# RETURN-ICMP-AS-DEST(port-unr) returns port-unreachable to give the
appearence of no packet filter and no services running
block return-rst in log quick on le0 proto tcp from any to any port = 21

block return-rst in log quick on le0 proto tcp from any to any port = 22

block return-rst in log quick on le0 proto tcp from any to any port = 23

block return-rst in log quick on le0 proto tcp from any to any port = 25

block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 53
block return-rst in log quick on le0 proto tcp from any to any port = 80

block return-rst in log quick on le0 proto tcp from any to any port =
110
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 111
block return-rst in log quick on le0 proto tcp from any to any port =
111
block return-rst in log quick on le0 proto tcp from any to any port =
135
block return-rst in log quick on le0 proto tcp from any to any port =
137
block return-rst in log quick on le0 proto tcp from any to any port =
139
block return-rst in log quick on le0 proto tcp from any to any port =
443
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 514
block return-rst in log quick on le0 proto tcp from any to any port =
515
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 2049
block return-rst in log quick on le0 proto tcp from any to any port =
2049
block return-rst in log quick on le0 proto tcp from any to any port =
6000

# Deny all inbound traffic by protocol and catch anything that falls
through
# RETURN-RST returns reset to give the appearence of no packet filter
running and no services running
# RETURN-ICMP-AS-DEST(port-unr) returns port-unreachable to give the
appearence of no packet filter and no services running
block return-rst in log quick on le0 proto tcp from any to any
block in log quick on le0 proto icmp from any to any
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any
block in log quick on le0 from any to any

# Deny access to systems here...
# block out quick on le0 from any to xxx.xxx.xxx.xxx

# Pass out all traffic and keep state to allow it to return
# Flags S ensures state tracking only on the first outbound tcp packet
pass out quick on le0 proto tcp from any to any flags S keep state
pass out quick on le0 proto udp from any to any keep state
pass out quick on le0 proto icmp from any to any keep state

#############################
# End Ruleset
#############################

More information about the LUAU mailing list