pf Rule Question
Posted by fog, 01-13-2008, 07:35 PM Can someone tell me what's wrong with the following? (Besides the half-arsed queueing.) This is a home router/firewall/NAT machine running OpenBSD. It works fine, but I'm getting periodic log entries about it blocking attempts to connect to TCP port 80 on various sites. And it's legitimate sites that show up in the logs when someone visits them. More confusingly than anything, though, everything works fine despite the log entries. The logs cite rule 19, which, per pftop, is the following: Where have I gone wrong, and what, exactly, is getting blocked? Again, it's legitimate sites that end users are actually connecting to, not some nefarious thing we've never heard of.
Posted by psyxakias, 01-13-2008, 10:16 PM Your pf ruleset blocks incoming TCP packets flagged with RST(reset), to avoid your established connections being affected from a TCP reset attack. However, that doesn't mean that the specific sites are trying anything malicious at all, as TCP-RST packets are used to reset a TCP connection when needed. In your case, I wouldn't worry about it. I would keep the rule and if logging alerts annoy you, you may remove the "log" word from the specific rule. Thank you.
Posted by fog, 01-14-2008, 01:20 AM But isn't it bad to discard these the RST packets? No, thank you for the help!