# pf and nmap



## mcg (Aug 30, 2009)

hello!

i have problem with blocking the nmap os detection. this is my pf.conf, these rules were working charmly with freebsd 6.2, but with 7.2 wont work. who knows it may be that freebsd used different pf version in 6.2. can anyone help please?


```
### Macros ###
ext_if="em0"
int_if="lo0"
tcp_services="{ 21, 22, 25, 80, 110, 443,1863, 5199, 5999 }"
tcp_options= "flags S/SAFRUP keep state"
dstaddr="{ my isp }"

### Tables ###
#table <internal_nets> persist file "/etc/internal_nets"
#table <Siteip>        persist file "/etc/Siteip"
table <goodguys>       persist file "/etc/goodguys"
table <badguys>       persist file "/etc/badguys"
table <RFC1918>	      persist file "/etc/RFC1918"		
#table <norouteip>     persist file "/etc/norouteip"
#table <trusted_nets>  persist file "/etc/trusted_nets"
#table <trusted_hosts> persist file "/etc/trusted_hosts"
#table <spamd>		persist file "/etc/spammers"

### Set Otimizations ###
#set block-policy 	drop
set block-policy	return
set limit               { states 20000, frags 20000 }
set loginterface 	$ext_if
set optimization 	aggressive
set timeout 		{ interval 10, frag 30 }
#set skip		on lo0 
set debug loud
set fingerprints "/etc/pf.os

### Block Rules Inbound ###
block in log on $ext_if all

# nmap os detection block
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

# silently drop broadcasts cable modem noise
block in quick on $ext_if from any to 255.255.255.255

# block anything coming from source we have no back routes for
block in from no-route to any

#Block in for table traffic BadGuys
block in log quick on $ext_if from <badguys> to $ext_if

# Block in for table traffic RFC1918
block drop in log quick on $ext_if from <RFC1918> to any

### Block Rules Outbound ###

# Default block outbound block all traffic
block out log on $ext_if all

# Pass out for table traffic GoodGuys
#Pass out for table traffic
pass out log quick on $ext_if from $ext_if to <goodguys> keep state

# Block out for table traffic BadGuys
block out log quick on $ext_if from $ext_if to <badguys>

# Block out for table traffic RFC1918
block drop out log quick on $ext_if from any to <RFC1918>
 
# allow the following traffic outbound
pass out log quick on $ext_if proto tcp from $ext_if to any port $tcp_services flags S/SA modulate state
pass out quick on $ext_if proto udp from $ext_if to $dstaddr port 53 keep state 

# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any


######### Anti spoof ##############
antispoof for { lo0, $int_if, $ext_if }
```


----------



## vivek (Aug 30, 2009)

nmap always updates its core algo, so it is not reliable at all to use pf to block port scanning done via nmap. Why not follow - close all and open required port policy. Also put all those tables in /usr/local/etc. /etc/ is only for base and system.


----------



## mcg (Aug 31, 2009)

thanks for the advice, i moved them to /usr/local/etc. the problem is pf firewall doesnt detect the flags, yes i scan from the same computer, i scan localhost and ext ip.


----------

