David S. wrote:
>> # First allow any outgoing tcp/udp packet and keep state of the connection 
>> # to also allow packets coming back from the connected host
>> pass out quick on pppoe0 proto tcp/udp from any to any keep state keep frags 
>>
>> # Same thing for icmp
>> pass out quick on pppoe0 proto icmp from any to any keep state
>
> There's a potential problem in the interaction of the two rules above
> with the two below.
>
>> # block all other incoming traffic and return rst/port-unr packets;
>> # log only errors and warnings
>> block return-rst in log level auth.alert quick on pppoe0 proto tcp \
>>  from any to any
>> block return-icmp(port-unr) in log level auth.alert quick on pppoe0 \
>>  proto udp from any to any
>
> Suppose a remote host attempts to initiate a connection to a blocked
> port.  His SYN packet causes an RST to be sent back.  Because of your
> "pass out ... proto tcp ... keep state ..." rule, that RST creates a
> state.

Yes, this sounds quite evident. But I did test it. ;-)
I ran nmap -sS and nmap -sS -F to scan my host from outside and then
took a look at the output from 'ipfstat -ios' - and there were no
states for any packets besides the one to the allowed ports.

> The remote host then sends the exact same SYN packet back,
> and, because of the state in your packet filter, it gets through.
> I haven't seen this happen with IP Filter, but I have seen it with
> other packet-filtering software.

Ah, ok - so you knew the result of my little test?
ipfilter seems to be quite 'clever' so.

> It's probably wise to err on the side of caution, and replace
>
>   pass out quick on pppoe0 proto tcp/udp from any to any keep state
>     keep frags
>
> with something like
>
>   pass out quick on pppoe0 proto tcp from any to any flags S keep
>     state keep frags
>   pass out quick on pppoe0 proto udp from any to any
>     keep state keep frags

Ok. Nevertheless this seems to be a good idea to be more restictive
without any harm. Did it.

> and maybe add a
>
>   pass out quick on pppoe0 proto icmp from any to any icmp-type
>     unreach
>
> before
>
>   pass out quick on pppoe0 proto icmp from any to any keep state
>
> Actually, I think that the only ICMP-type you "need" to keep state on
> is 'echo', for 'traceroute' to work properly.

Ok, I give it a try. Don't know much about icmp.

> Also, you're returning RSTs for any denied TCP packet, not just SYN
> packets addressed to your host.  While there's probably no harm in
> that, I don't think it's necessary.  (If I'm wrong here, I'm sure
> someone will correct me ...)

Mh, yes, but I'd have to define more rules to distinguish between
different types of packets, right? I wanted to keep it as much as
simple for the beginning.

Thanks a lot for your really good comment,
Martin