Help requested with pf.conf firewall script

cpet cpet at sdf.org
Sat Feb 21 17:04:34 UTC 2015 

On 2015-02-21 10:29, Godfrey Hamshire wrote:
> Help requested with pf.conf
> 
> Hello
> 
> I would be most greatful if some kind member could assist me.
> 
> I am in the process of setting up a mail/web server etc.
> 
> I want to be able to block ip's that try brute force attacks and those
> that try and break in using hundreds of usernames and passwords.
> 
> I found this set of rules as set out below, they are not mine but
> belong to K.Andreev, there is nothing wrong with them, I just want to
> be able to ping and traceroute from the server and cant.
> 
> I have tried all sorts combinations with the last line, from various
> sites via google and cant get it to ping or any of that stuff. Not
> being too clued up on this aspect I am asking for assistance.
> 
> This is what I am getting when I try to ping.
> 
> PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
> ping: sendto: No route to host
> ping: sendto: No route to host
> 
> If to save a lot of hassel the reader of this has a working pf.conf
> that allows blocking of ip's that endlessly try to break in or one I
> can add trouble some ip's to a table to that would be really cool.
> 
> Here is the rule set I am asking for help with
> 
> Thank you for your time trouble and help it will be appreciated.
> 
> Kind regards
> 
> Godfrey
> 
> 
> 
> 
> # pf config - K.Andreev 20140604
> 
> ext_if = "vr0"
> 
> set loginterface $ext_if
> 
> set skip on lo
> 
> table <bruteforce> persist
> 
> table <blocked_subnets> persist file "/etc/blocked_subnets"
> 
> tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
> 
> udp_pass = "{ 21 53 }"
> 
> block all
> 
> block in log quick on $ext_if from <blocked_subnets> to any
> block out log quick on $ext_if from any to <blocked_subnets>
> 
> block quick from <bruteforce>
> 
> pass quick proto { tcp, udp } from any to any port ssh \
>     flags S/SA keep state \
>     (max-src-conn 15, max-src-conn-rate 5/3, \
>     overload <bruteforce> flush global)
> 
> pass log on $ext_if proto tcp to any port $tcp_pass keep state
> 
> pass out on $ext_if proto udp to any port $udp_pass keep state
> 
> pass inet proto icmp from any to any keep state
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

you need to add a rule for icmp I do this:

icmptypes="{echoreq,unreach}"
pass in  on $ext_if inet proto icmp all icmp-type $icmptypes

so that fixes your ping issue

for brutes I do this only for SSH:
brutes="{22, 6015}"
pass in on $ext_if inet proto tcp from any to any port $brutes flags 
S/SA keep s  tate (max-src-conn 3, max-src-conn-rate 3/10, overload 
<bruteforce> flush global  )

Hope this helps you.

More information about the freebsd-questions mailing list