pf block question

Matt Rechkemmer tiberius at trancell.org
Thu Jun 9 10:19:40 GMT 2005 

On Tue, Jun 07, 2005 at 01:50:30PM +0300, Giorgos Keramidas wrote:
> 
> We'd have to see the entire ruleset and a tcpdump of traffic that passes
> through to know what's wrong.
> 
> - Giorgos

Here are the rules as taken from pfctl -sr.  I can also provide a copy of
pf.conf, if needed.  The user's host is in the "badhosts" table.  I've changed
the first three octets of my IPs, for privacy reasons.  The intruder's IP in
the tcpdump has also been masked.

***sorry about the word wrap***

scrub in all fragment reassemble
block drop on fxp0 from <badhosts> to any
block drop all
pass out quick on lo0 all
pass in quick on lo0 all
pass out on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.70 port = ssh keep state
pass in quick on fxp0 inet6 proto tcp from <owners> to fe80::211:11ff:fe47:1980 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.161 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.162 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.163 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.164 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.165 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.166 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.167 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.168 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.169 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.170 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.171 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.172 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.173 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.174 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.175 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.176 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.177 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.178 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.179 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.180 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.181 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.182 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.183 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.184 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.185 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.186 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.187 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.188 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.189 port = ssh keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.190 port = ssh keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = smtp keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = domain keep state
pass in quick on fxp0 inet proto udp from any to 1.3.3.70 port = domain keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.163 port = http keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = pop3s keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = auth keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = ircd keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6668 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6669 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = afs3-fileserver keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 7878 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9000 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9999 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = auth keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = ircd keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6668 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6669 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = afs3-fileserver keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 7878 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9000 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9999 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = auth keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = ircd keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6668 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6669 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = afs3-fileserver keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 7878 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9000 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9999 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = auth keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = ircd keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6668 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6669 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = afs3-fileserver keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 7878 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9000 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9999 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = auth keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = ircd keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6668 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6669 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = afs3-fileserver keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 7878 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9000 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9999 keep state
pass in quick on fxp0 inet proto tcp from any to 1.3.3.161 port = 4400 keep state
pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.168 port = afs3-fileserver keep state
pass out on fxp0 all keep state

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
03:17:04.793303 IP my.host.com > attacker.host.com: icmp 64: echo request seq 0
03:17:04.823353 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 0
03:17:05.801745 IP my.host.com > attacker.host.com: icmp 64: echo request seq 1
03:17:05.832149 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 1

Thanks,

--
Matt Rechkemmer
tiberius at trancell.org

More information about the freebsd-questions mailing list