# Packet Filter (PF) Question



## markfisher (Nov 25, 2010)

Hi
I recently configured my server with PF.
Server: FreeBSD
Services: qmail (Mail Server), Apache, PHP, and MySQL (Web Server) and BIND (DNS Server)
Firewall: Packet Filter (PF)

My PF has a file called spammers (/etc/spammers) which I use to block IP addresses that are trying to attack my machine.

/etc/spammers:

```
172.16.51.67
172.16.51.160
172.16.51.163
172.16.11.163
```
The problem is this:
I craft the packet from my desktop machine
source IP: 172.16.11.163
destination IP addrss: 172.16.11.180 (My Server IP)
No pay load

When I send that packet out my firewall passing it through (I have a rule that says to block that IP address). Now question is how to block that kind of packets? (Are those packet can be harmful to the machine, DDoS, ...)? I believe that IPFilter calls those packet SHORT packets and there is keyword (Short) to block those (I could be wrong).

NOTE: I checked `pfctl -t spammers -T show` to make sure that the table loads successfully or not.

Here is PF log file:
`tcpdump -n -e -ttt -r /var/log/pflog`

```
00:00:00.000000 rule 4294967295/3(Short): pass in on bge0: 172.16.11.163>172.16.11.180:[|tcp]
```


PF Rules:

```
ext_if = "bge0"

web_server  = "172.16.11.180"
dns_server  = "172.16.11.180"
mail_server = "172.16.11.180"
ssl_server = "172.16.11.180"

table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spammers> persist file "/etc/spammers"

set skip on lo0

scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 random-id no-df
antispoof log quick for $ext_if

block in all with short
block in log quick on $ext_if from <spammers> to any
#block in quick on $ext_if from any os unknown

pass in on $ext_if proto tcp from any to $web_server port 80 flags S/SA synproxy state
pass in on $ext_if proto udp from any to $dns_server port 53
pass in on $ext_if proto tcp from any to $mail_server port 25 flags S/SA keep state
pass in on $ext_if proto tcp from any to $ssl_server port 443 flags S/SA keep state
#pass out on $ext_if proto {tcp udp icmp} from (bge0) to any flags S/SA keep state 


#Try to block nmap scans
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP

#try to block OS detection
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
```


Thanks
Mark


----------



## markfisher (Nov 25, 2010)

Sorry for double posting (I tried to figure out how to edit my post...)
On my pf rule:
Rule: "block in all with short" is comment as PF don't have a keyword "short"

Sorry again for double posting.

Mark


----------



## DutchDaemon (Nov 26, 2010)

Read your sign-up email, please.


----------

