basic rule request - allow_all/block_bad
Jon Radel
jon at radel.com
Wed Jan 21 09:47:51 PST 2009
fbsdmail at dnswatch.com wrote:
>> block in quick from 10.20.30.40 to any pass all
>>
>> If you need to block more than one address, or you need easy
>> manipulation with list of addresses, you can use tables in ruleset:
>>
>> table <badguys> persist file "/etc/pf.badguys.table" block in quick from
>> <badguys> to any
>> pass all
>>
>>
>> You can put IPs in to persistent file /etc/pf.badguys.table, these IPs
>> will be loaded in the boot time. You can add / remove address on the fly by
>> pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T
>> delete 10.11.12.13
>
> Thank you. That's perfect!
>
> I seem to be stumped on one last issue;
> All the information, and pf.conf files all provide for 2 interfaces -
> INT_IF, and EXT_IF.
> Assuming a single NIC (ethernet adapter), and only Internet routable
> IP addresses, and a l0 (loopback). How would I define/use the 2 IF's?
> Dummynet, maybe?
>
Ick (if you don't mind my saying so). No, don't make your life hell by
coming up with dummy interfaces. The example line you were given by
Miroslav at very top of my reply is standalone if you wish. A rule set
like:
set skip on l0
block in quick from 10.20.30.40 to any
pass all
should be completely stand-alone. It means:
1) Completely ignore the loopback interface for filtering purposes
(supposedly more efficient than setting up a pass all or something to
make sure other rules don't give you weird side effects on the loopback).
2) On any interface (since you didn't mention one in the rule) (other
than on lo0, since you're ignoring it) block any incoming packets that
come from 10.20.30.40. The fact that there's only one interface is of
no particular consequence.
3) Pass everything else in and out on all interfaces (other than lo0,
which is passing everything since it's being ignored). Again, that
there is only one interface is of no concern.
All those INT_IF, etc., macros you see in examples are there because
it's considered best practice to use macros and document your rule set.
For a 3 line rule set where you're the only maintainer, feel free to
rip that all out.... ;-)
After you get that running, I'd suggest you start making things fancier
with Miroslav's recommendation about using a table, putting in scrub
with some of the less agressive options, protecting yourself from
packets with spoofed addresses, etc., etc.
--Jon Radel
More information about the freebsd-pf
mailing list