PF PF interferes with nmap -sn sweep.

byrnejb

byrnejb

I have a simple /etc/pf.conf:
Code: 
. . .
### Options

### by default drop blocked packets and do not return a return packet
set block-policy drop
### Set none for no debug messages.  alternatively set to urgent
set debug urgent
### reorder and combine rules as logic permits (none - basic - profile)
set ruleset-optimization none
### do not filter on the loopback interface(s)
set skip on lo0
set skip on lo1
set skip on lo2
### bind state matching to i/f (if-bound) or any (floating [default])
set state-policy if-bound


### Normalisation

### clean up incoming packets and reassemble fragments
scrub in all fragment reassemble no-df max-mss 1440
### Or not if rfc1323 timestamp integrity is required


### Filters
### set default action to block everything and log blocks
block return  out log all
block drop    in  log all

### can override this later
pass          out \
                from  self \
                to    any

### allow ssh from our public network
pass          in  quick inet  proto { tcp udp } \
                from  $ip_ssh_ok \
                to    self          port  { 22 80 443 10000 }

pass          in  quick inet  proto tcp \
                from  any \
                to    $ip_sshpipe   port  22

### allow tox messaging
pass          in  quick inet  proto udp \
                from  any             port  $port_tox \

### allow hp3000 virtual printing
pass          in  quick inet  proto tcp \
                from  $ip_hp3000 \
                to    any             port  $port_hp3000

With pf enabled when I run nmap -sn 192.168.216.0/24 I see this:
Code: 
# nmap -sn 192.168.216.0/24  | grep 'scan report'
sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 192.168.216.11, 16) => Permission denied
Offending packet: TCP 216.185.71.41:47075 > 192.168.216.11:80 A ttl=55 id=38033 iplen=40  seq=0 win=1024
sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 192.168.216.12, 16) => Permission denied
Offending packet: TCP 216.185.71.41:47075 > 192.168.216.12:80 A ttl=49 id=29902 iplen=40  seq=0 win=1024
. . .
Omitting future Sendto error messages now that 10 have been shown.  Use -d2 if you really want to see them.
. . .

With pf disabled these messages do not appear. What in my pf.conf causes this behaviour?
 
nmap is being run on the device with this pf config? What IP does the device have, I'm assuming 192.168.216.x?

Pretty much I think it's the "block return out log all" but the "where are you running the command from and what IP the interfaces have tells us a lot more information"
 
byrnejb said:
Code: 
### allow ssh from our public network 
pass in quick inet proto { tcp udp } \
 from $ip_ssh_ok \
 to self port { 22 80 443 10000 }
Click to expand...
Not related to your issue but HTTP(S) (80 and 443) and SSH (22) do not use UDP. So don't allow it.
 
I am running nmap on 216.185.71.41.

The stanza:
Code: 
### can override this later
pass          out \
                from  self \
                to    any

Allows outgoing traffic from self. That should mean that all related incoming traffic is permitted. Therefore this should override the preceding block drop in log all. However, to test I disabled that particular filter, restarted pf and ran nmap again. This did not change the observed behaviour.
 
You must log in or register to reply here.
Back
Top