pf block question
Giorgos Keramidas
keramida at ceid.upatras.gr
Thu Jun 9 10:51:24 GMT 2005
On 2005-06-09 03:18, Matt Rechkemmer <tiberius at trancell.org> wrote:
> On Tue, Jun 07, 2005 at 01:50:30PM +0300, Giorgos Keramidas wrote:
> >
> > We'd have to see the entire ruleset and a tcpdump of traffic that passes
> > through to know what's wrong.
> >
> > - Giorgos
>
> Here are the rules as taken from pfctl -sr. I can also provide a copy of
> pf.conf, if needed. The user's host is in the "badhosts" table. I've changed
> the first three octets of my IPs, for privacy reasons. The intruder's IP in
> the tcpdump has also been masked.
>
> ***sorry about the word wrap***
>
> scrub in all fragment reassemble
> block drop on fxp0 from <badhosts> to any
> block drop all
> pass out quick on lo0 all
> pass in quick on lo0 all
> pass out on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
> pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
Rule matching in PF (as in IP Filter) is "last match wins".
The ICMP packets from <badhosts> entries match the following rules:
scrub in all fragment reassemble
block drop on fxp0 from <badhosts> to any
pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
and the last rule wins...
If you add "quick" to the `block from <badhosts>' rule, packets from
these hosts will immediately be dropped -- which is what you probably
want to do, if I have understood what you wrote so far.
- Giorgos
More information about the freebsd-questions
mailing list