Help requested with pf.conf firewall script

[Godfrey Hamshire]

Help requested with pf.conf

Hello 

I would be most greatful if some kind member could assist me.

I am in the process of setting up a mail/web server etc.

I want to be able to block ip's that try brute force attacks and those that try and break in using hundreds of usernames and passwords. 

I found this set of rules as set out below, they are not mine but belong to K.Andreev, there is nothing wrong with them, I just want to be able to ping and traceroute from the server and cant. 

I have tried all sorts combinations with the last line, from various sites via google and cant get it to ping or any of that stuff. Not being too clued up on this aspect I am asking for assistance.

This is what I am getting when I try to ping.

PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

If to save a lot of hassel the reader of this has a working pf.conf that allows blocking of ip's that endlessly try to break in or one I can add trouble some ip's to a table to that would be really cool. 

Here is the rule set I am asking for help with 

Thank you for your time trouble and help it will be appreciated.

Kind regards 

Godfrey




# pf config - K.Andreev 20140604

ext_if = "vr0"

set loginterface $ext_if

set skip on lo

table <bruteforce> persist

table <blocked_subnets> persist file "/etc/blocked_subnets"

tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"

udp_pass = "{ 21 53 }"

block all

block in log quick on $ext_if from <blocked_subnets> to any
block out log quick on $ext_if from any to <blocked_subnets>

block quick from <bruteforce>

pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)

pass log on $ext_if proto tcp to any port $tcp_pass keep state

pass out on $ext_if proto udp to any port $udp_pass keep state

pass inet proto icmp from any to any keep state