Help requested with pf.conf firewall script
Godfrey Hamshire
freebsdlist at compudoc.za.net
Sat Feb 21 16:37:10 UTC 2015
Help requested with pf.conf
Hello
I would be most greatful if some kind member could assist me.
I am in the process of setting up a mail/web server etc.
I want to be able to block ip's that try brute force attacks and those that try and break in using hundreds of usernames and passwords.
I found this set of rules as set out below, they are not mine but belong to K.Andreev, there is nothing wrong with them, I just want to be able to ping and traceroute from the server and cant.
I have tried all sorts combinations with the last line, from various sites via google and cant get it to ping or any of that stuff. Not being too clued up on this aspect I am asking for assistance.
This is what I am getting when I try to ping.
PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
If to save a lot of hassel the reader of this has a working pf.conf that allows blocking of ip's that endlessly try to break in or one I can add trouble some ip's to a table to that would be really cool.
Here is the rule set I am asking for help with
Thank you for your time trouble and help it will be appreciated.
Kind regards
Godfrey
# pf config - K.Andreev 20140604
ext_if = "vr0"
set loginterface $ext_if
set skip on lo
table <bruteforce> persist
table <blocked_subnets> persist file "/etc/blocked_subnets"
tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
udp_pass = "{ 21 53 }"
block all
block in log quick on $ext_if from <blocked_subnets> to any
block out log quick on $ext_if from any to <blocked_subnets>
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass log on $ext_if proto tcp to any port $tcp_pass keep state
pass out on $ext_if proto udp to any port $udp_pass keep state
pass inet proto icmp from any to any keep state
More information about the freebsd-questions
mailing list