对于 freebsd pf 防火墙;我希望它阻止未建立连接的数据包。例如,攻击者不应为未知的尚未建立的连接发送重置数据包。
在 Linux 中很容易做到
-d targethost -m state --state NEW -j ACCEPT
-m state --state RELATED,ESTABLISHED -j ACCEPT
这将允许建立新的状态并阻止除已建立状态 (ESTABLISHED) 的数据包之外的任何其他内容
我认为 freebsd pf 也应该这样工作。pf有这样的东西吗?你认为下面的规则集应该允许未建立连接的重置数据包吗?
# pfctl -sr -vvv
@0 pass in log (all) quick from <administrators:4> to any flags S/SA synproxy state
[ Evaluations: 423 Packets: 0 Bytes: 0 States: 4 ]
[ Inserted: uid 0 pid 25567 State Creations: 4 ]
@1 block drop log (all) quick inet6 all
[ Evaluations: 419 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 25567 State Creations: 0 ]
@2 block drop log (all) quick from <blacklist:0> to any
[ Evaluations: 419 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 25567 State Creations: 0 ]
@3 pass log (all) quick all flags S/SA keep state
[ Evaluations: 419 Packets: 103 Bytes: 10941 States: 15 ]
[ Inserted: uid 0 pid 25567 State Creations: 19 ]
tcpdump -i pflog0 不会坐下来(通过或阻止)接受发往防火墙后面主机的重置数据包的数据包。
来自OpenBSD
pf文档:所以你已经是有状态的了。
需要澄清的是,FreeBSD 偶尔会
pf从 OpenBSD 移植过来,因此它们的文档适用于核心功能。