Blocking traffic with PF

Frank Staals f.staals at zonnet.nl
Sun Apr 24 07:07:58 PDT 2005 

Hey everyone,

I would like to bock all traffic from one host, the problem is the data 
isn't comming from that host anymore, it is redirected from my router, I 
am using PF as firewall, this is te ruleset I wanted to use for it:

block in from { example.host.com , example2.secondhost.com } to any

but when I enable tcpdump when starting the application which triggers 
the comming data from the hosts I want to block this is a piece of  what 
it shows ( with the -v option ) :

15:54:45.944499 IP Riza.FStaals.LAN.63681 > 
SpeedTouch.FStaals.Lan.domain:  57330+ AAAA? example.host.com. (35)
15:54:45.974083 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.63681:  57330 1/0/0 CNAME example2.secondhost.com. (54)
15:54:45.974301 IP Riza.FStaals.LAN.65038 > 
SpeedTouch.FStaals.Lan.domain:  57331+ A? example.host.com. (35)
15:54:45.986375 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.65038:  57331 2/0/0 CNAME example2.secondhost.com.[|domain]
15:54:45.986740 IP Riza.FStaals.LAN.63345 > 
SpeedTouch.FStaals.Lan.domain:  57332+ AAAA? example2.secondhost.com. (32)
15:54:45.999378 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.63345:  57332 0/0/0 (32)
15:54:45.999509 IP Riza.FStaals.LAN.58187 > 
SpeedTouch.FStaals.Lan.domain:  57333+ A? example2.secondhost.com. (32)
15:54:46.014454 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.58187:  57333 1/0/0 A 193.69.116.13 (48)
15:54:46.867432 IP Riza.FStaals.LAN.50980 > 
SpeedTouch.FStaals.Lan.domain:  36113+ PTR? 138.0.0.10.in-addr.arpa. (41)
15:54:46.868404 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.50980:  36113* 1/0/0 PTR[|domain]
15:54:46.869032 IP Riza.FStaals.LAN.54487 > 
SpeedTouch.FStaals.Lan.domain:  36114+ PTR? 13.116.69.193.in-addr.arpa. (44)
15:54:46.905268 IP SpeedTouch.FStaals.Lan.domain > 
Riza.FStaals.LAN.54487:  36114 NXDomain* 0/0/0 (44 )

So the problem is that the data is redirected at my router ( 
SpeedTouch.FStaals.LAN ) to my laptop ( Riza.FStaals.LAN ) but I can't 
block all the traffic from my router since all other data I do want to 
receive. My router doesn't have an option to block specified URLs so I 
can't do it there eighter.

Has anyone an Idea how I can block all the data from the 'bad-hosts' ( 
which I changed here in example.host.com and example2.secondhost.com )

Thanks in advance

Frank Staals

More information about the freebsd-questions mailing list