basic rule request - allow_all/block_bad
fbsdmail at dnswatch.com
fbsdmail at dnswatch.com
Wed Jan 21 09:32:26 PST 2009
Greetings, and thank you for your reply...
On Wed, January 21, 2009 8:47 am, Jon Radel wrote:
>
> fbsdmail at dnswatch.com wrote:
>
>>> block in quick from 10.20.30.40 to any pass all
>>>
>>> If you need to block more than one address, or you need easy
>>> manipulation with list of addresses, you can use tables in ruleset:
>>>
>>> table <badguys> persist file "/etc/pf.badguys.table" block in quick
>>> from <badguys> to any
>>> pass all
>>>
>>>
>>> You can put IPs in to persistent file /etc/pf.badguys.table, these
>>> IPs
>>> will be loaded in the boot time. You can add / remove address on the
>>> fly by pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t
>>> badguys -T delete 10.11.12.13
>>
>> Thank you. That's perfect!
>>
>>
>> I seem to be stumped on one last issue;
>> All the information, and pf.conf files all provide for 2 interfaces -
>> INT_IF, and EXT_IF.
>> Assuming a single NIC (ethernet adapter), and only Internet routable
>> IP addresses, and a l0 (loopback). How would I define/use the 2 IF's?
>> Dummynet, maybe?
>>
>>
>
> Ick (if you don't mind my saying so). No, don't make your life hell by
> coming up with dummy interfaces. The example line you were given by
> Miroslav at very top of my reply is standalone if you wish. A rule set
> like:
>
>
>
> set skip on l0 block in quick from 10.20.30.40 to any pass all
>
> should be completely stand-alone. It means:
>
> 1) Completely ignore the loopback interface for filtering purposes
> (supposedly more efficient than setting up a pass all or something to
> make sure other rules don't give you weird side effects on the loopback).
>
> 2) On any interface (since you didn't mention one in the rule) (other
> than on lo0, since you're ignoring it) block any incoming packets that come
> from 10.20.30.40. The fact that there's only one interface is of no
> particular consequence.
>
> 3) Pass everything else in and out on all interfaces (other than lo0,
> which is passing everything since it's being ignored). Again, that there
> is only one interface is of no concern.
>
> All those INT_IF, etc., macros you see in examples are there because
> it's considered best practice to use macros and document your rule set. For
> a 3 line rule set where you're the only maintainer, feel free to rip that
> all out.... ;-)
>
> After you get that running, I'd suggest you start making things fancier
> with Miroslav's recommendation about using a table, putting in scrub with
> some of the less agressive options, protecting yourself from packets with
> spoofed addresses, etc., etc.
All good advice. I decided shortly after sending this question, to
simply dive in and take a chance. So I simply omitted the IF part
I was asking about, and modified the suggestion(s) Miroslav was kind
enough to offer. I have one NIC which is assigned the hosts address,
I also have to additional IP's aliased against it. I only brought up
lo0 because I wasn't sure if, or why that might be a consideration.
Anyway, as you might imagine, Miroslav's suggestion worked perfectly -
THANKS Miroslav. :-)
I actually had several reoccurring "baddies" so I chose the "table"
method. Now their noise has vanished. :-)
Now, it's off to tweak (tune) the settings, and make some more additions,
so as to make better use of it.
Thank you again for taking the time to respond.
Thanks again to you Miroslav.
Best wishes.
--Chris
>
> --Jon Radel
>
>
>
More information about the freebsd-pf
mailing list