How to add rule with pfctl...

Agus agus.262 at gmail.com
Mon Sep 17 19:30:17 PDT 2007 

Agus wrote:
>
> 2007/9/15, Mel <fbsd.questions at rachie.is-a-geek.net> <fbsd.questions at rachie.is-a-geek.net>:
>
>  On Saturday 15 September 2007 23:18:17 Agus wrote:
>
>      I am trying to figure out how to add a firewall rule with pfctl...
> This is what i'm trying to do...
>
> I've got SEC that matches certain pattern and takes the IP from that and
> want to trigger a firewall rule to block that IP....
> Then after a couple of hours SEC will trigger the command to un-block
>
>  the
>
>  IP...
> So what i need is the command to block an IP address from command line,
>
>  not
>
>  touching any pf.conf....
>
>  If you don't need to add a rule but an IP, then tables are your friend.
> Example for /etc/pf.conf:
> # Placeholder for spammers table, non-routable network IP.
> table <spammers> persist { 192.168.111.111 }
> # Block this traffic
> block return-rst in log on $ext_if proto tcp from <spammers> port smtp
>
> Then on the command line:
> /sbin/pfctl -t spammers -Tadd ip.from.new.spammer
> And to delete:
> /sbin/pfctl -t spammers -Tdel ip.from.old.spammer
>
> --
> Mel
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>      Hi,
> I put this on /etc/pf.conf
> external_addr="192.168.1.11" which is the address of the only interface.
> This machine isn't a router.
>
> block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> $external_addr port ssh
>
> but when i try to connect from 192.168.0.1 i connect with no problems...this
> rule is to block access..
> What am i doing wrong..is my first time with pf...
>
> Thankss...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org" <freebsd-questions-unsubscribe at freebsd.org>
>
>  2007/9/17, Goltsios Theodore <tgol at kinetix.gr>:
Well I think that you mean to add this:

ext_if="rl0" # Or whatever your interface is ifconfig helps to find out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if
port ssh

or even:
ext_if="rl0"
external_addr="192.168.1.11"
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh

Think of macros as variables. As long as you don't define them they don't
exist (are empty).



I knowTheodore, i've done it exactly like u put it....first declare macros
and then the rule....
but i couldn't block access to the machine....this rule is supposed to block
all access to port 22 on the machine coming from 192.168.0.1....but I can
access from there...

i checked pfctl -e
pfctl -sa

and everything seems to be loaded...

Thanks...

More information about the freebsd-questions mailing list