basic rule request - allow_all/block_bad

Jon Radel jon at radel.com
Wed Jan 21 09:47:51 PST 2009 

fbsdmail at dnswatch.com wrote:

>> block in quick from 10.20.30.40 to any pass all
>>
>> If you need to block more than one address, or you need easy
>> manipulation with list of addresses, you can use tables in ruleset:
>>
>> table <badguys> persist file "/etc/pf.badguys.table" block in quick from
>> <badguys> to any
>> pass all
>>
>>
>> You can put IPs in to persistent file /etc/pf.badguys.table, these IPs
>> will be loaded in the boot time. You can add / remove address on the fly by
>> pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T
>> delete 10.11.12.13
> 
> Thank you. That's perfect!
> 
> I seem to be stumped on one last issue;
> All the information, and pf.conf files all provide for 2 interfaces -
> INT_IF, and EXT_IF.
> Assuming a single NIC (ethernet adapter), and only Internet routable
> IP addresses, and a l0 (loopback). How would I define/use the 2 IF's?
> Dummynet, maybe?
> 

Ick (if you don't mind my saying so).  No, don't make your life hell by 
coming up with dummy interfaces.  The example line you were given by 
Miroslav at very top of my reply is standalone if you wish.  A rule set 
like:


set skip on l0
block in quick from 10.20.30.40 to any
pass all

should be completely stand-alone.  It means:

1) Completely ignore the loopback interface for filtering purposes 
(supposedly more efficient than setting up a pass all or something to 
make sure other rules don't give you weird side effects on the loopback).

2) On any interface (since you didn't mention one in the rule) (other 
than on lo0, since you're ignoring it) block any incoming packets that 
come from 10.20.30.40.  The fact that there's only one interface is of 
no particular consequence.

3) Pass everything else in and out on all interfaces (other than lo0, 
which is passing everything since it's being ignored).  Again, that 
there is only one interface is of no concern.

All those INT_IF, etc., macros you see in examples are there because 
it's considered best practice to use macros and document your rule set. 
  For a 3 line rule set where you're the only maintainer, feel free to 
rip that all out....  ;-)

After you get that running, I'd suggest you start making things fancier 
with Miroslav's recommendation about using a table, putting in scrub 
with some of the less agressive options, protecting yourself from 
packets with spoofed addresses, etc., etc.

--Jon Radel

More information about the freebsd-pf mailing list