How to add rule with pfctl...

Mon Sep 17 20:13:25 PDT 2007

On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote:
> Agus wrote:
> >
> > 2007/9/15, Mel <fbsd.questions at rachie.is-a-geek.net> <fbsd.questions at rachie.is-a-geek.net>:
> >
> >  On Saturday 15 September 2007 23:18:17 Agus wrote:
> >
> >      I am trying to figure out how to add a firewall rule with pfctl...
> > This is what i'm trying to do...
> >
> > I've got SEC that matches certain pattern and takes the IP from that and
> > want to trigger a firewall rule to block that IP....
> > Then after a couple of hours SEC will trigger the command to un-block
> >
> >  the
> >
> >  IP...
> > So what i need is the command to block an IP address from command line,
> >
> >  not
> >
> >  touching any pf.conf....
> >
> >  If you don't need to add a rule but an IP, then tables are your friend.
> > Example for /etc/pf.conf:
> > # Placeholder for spammers table, non-routable network IP.
> > table <spammers> persist { 192.168.111.111 }
> > # Block this traffic
> > block return-rst in log on $ext_if proto tcp from <spammers> port smtp
> >
> > Then on the command line:
> > /sbin/pfctl -t spammers -Tadd ip.from.new.spammer
> > And to delete:
> > /sbin/pfctl -t spammers -Tdel ip.from.old.spammer
> >
> > --
> > Mel
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> >
> >      Hi,
> > I put this on /etc/pf.conf
> > external_addr="192.168.1.11" which is the address of the only interface.
> > This machine isn't a router.
> >
> > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> > $external_addr port ssh
> >
> > but when i try to connect from 192.168.0.1 i connect with no problems...this
> > rule is to block access..
> > What am i doing wrong..is my first time with pf...
> >
> > Thankss...
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org" <freebsd-questions-unsubscribe at freebsd.org>
> >
> >  2007/9/17, Goltsios Theodore <tgol at kinetix.gr>:
> Well I think that you mean to add this:
> 
> ext_if="rl0" # Or whatever your interface is ifconfig helps to find out
> block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if
> port ssh
> 
> or even:
> ext_if="rl0"
> external_addr="192.168.1.11"
> block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> $external_addr port ssh
> 
> Think of macros as variables. As long as you don't define them they don't
> exist (are empty).
> 
> 
> 
> I knowTheodore, i've done it exactly like u put it....first declare macros
> and then the rule....
> but i couldn't block access to the machine....this rule is supposed to block
> all access to port 22 on the machine coming from 192.168.0.1....but I can
> access from there...
> 
> i checked pfctl -e
> pfctl -sa
> 
> and everything seems to be loaded...
> 
> Thanks...

Are you sure that you're trying to block only from a specific host?
The source address shouldn't change, even if you're doing nat.  I
would assume that you'd want an 'any' keyword there, rather than a
specific IP address.

Also, you can add hosts to the table automatically based on number of connections over a given period of time:

block quick from <blackhole>
pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state (max-src-conn-rate 5/30, overload <blackhole> flush global)

The first rule blocks hosts from the blackhole table.  The second adds
hosts to the blackhole table and kills their state if they connect
more than 5 times in 30 seconds.  This is obviously tunable-- 3/30
would be 3 connections in 30 seconds, and 8/60 would be 8 connections
in 60 seconds.

Erik