For a freebsd pf firewall; I want it to block packets for non established connections. For example , the attacker should not send Reset packets for an unknown not-yet-established connection.
In Linux it is easy to do
-d targethost -m state --state NEW -j ACCEPT
-m state --state RELATED,ESTABLISHED -j ACCEPT
This will allow new state establishments and block any other thing except for packets for the established state (ESTABLISHED)
I think freebsd pf should also work like this. Does pf has anything such? Do you think the ruleset below should allow Reset packets for a nonestablished connection?
# pfctl -sr -vvv
@0 pass in log (all) quick from <administrators:4> to any flags S/SA synproxy state
[ Evaluations: 423 Packets: 0 Bytes: 0 States: 4 ]
[ Inserted: uid 0 pid 25567 State Creations: 4 ]
@1 block drop log (all) quick inet6 all
[ Evaluations: 419 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 25567 State Creations: 0 ]
@2 block drop log (all) quick from <blacklist:0> to any
[ Evaluations: 419 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 25567 State Creations: 0 ]
@3 pass log (all) quick all flags S/SA keep state
[ Evaluations: 419 Packets: 103 Bytes: 10941 States: 15 ]
[ Inserted: uid 0 pid 25567 State Creations: 19 ]
tcpdump -i pflog0 does not sat aything(pass or block) accepting packets for Reset packets destined for a host behind the firewall.
From the OpenBSD
pfdocs:So you're already stateful.
And to clarify, FreeBSD occasionally ports
pfover from OpenBSD, so their documentation applies for core features.