Help requested with pf.conf firewall script
Godfrey Hamshire
freebsdlist at compudoc.za.net
Sat Feb 21 17:38:55 UTC 2015
Hello
Thank you for your assistance.
Your suggestion works very well for ping, how ever for trace route
I get this
traceroute to dns.cdoc.co.za (41.185.26.52), 64 hops max, 40 byte packets
traceroute: sendto: Operation not permitted
1 traceroute: wrote dns.cdoc.co.za 40 chars, ret=-1
^C
root at 32.165 ~ # ping dns.cdoc.co.za
PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
64 bytes from 41.185.26.52: icmp_seq=0 ttl=61 time=46.018 ms
64 bytes from 41.185.26.52: icmp_seq=1 ttl=61 time=46.607 ms
^C
I have pasted at the bottom of this message the revised rule set incase I
missed the plot some where.
Thank you so much for your help.
Regards
Godfrey
# pf config - K.Andreev 20140604
ext_if = "vr0"
icmptypes="{echoreq,unreach}"
set loginterface $ext_if
set skip on lo
table <bruteforce> persist
table <blocked_subnets> persist file "/etc/blocked_subnets"
tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
udp_pass = "{ 21 53 }"
block all
block in log quick on $ext_if from <blocked_subnets> to any
block out log quick on $ext_if from any to <blocked_subnets>
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass log on $ext_if proto tcp to any port $tcp_pass keep state
pass out on $ext_if proto udp to any port $udp_pass keep state
pass in on $ext_if inet proto icmp all icmp-type $icmptypes
pass inet proto icmp from any to any keep state
----- Original Message -----
From: "cpet" <cpet at sdf.org>
To: "Godfrey Hamshire" <freebsdlist at compudoc.za.net>
Cc: "FreeBSD Users" <freebsd-questions at freebsd.org>;
<owner-freebsd-questions at freebsd.org>
Sent: Saturday, February 21, 2015 7:04 PM
Subject: Re: Help requested with pf.conf firewall script
> On 2015-02-21 10:29, Godfrey Hamshire wrote:
>> Help requested with pf.conf
>>
>> Hello
>>
>> I would be most greatful if some kind member could assist me.
>>
>> I am in the process of setting up a mail/web server etc.
>>
>> I want to be able to block ip's that try brute force attacks and those
>> that try and break in using hundreds of usernames and passwords.
>>
>> I found this set of rules as set out below, they are not mine but
>> belong to K.Andreev, there is nothing wrong with them, I just want to
>> be able to ping and traceroute from the server and cant.
>>
>> I have tried all sorts combinations with the last line, from various
>> sites via google and cant get it to ping or any of that stuff. Not
>> being too clued up on this aspect I am asking for assistance.
>>
>> This is what I am getting when I try to ping.
>>
>> PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
>> ping: sendto: No route to host
>> ping: sendto: No route to host
>>
>> If to save a lot of hassel the reader of this has a working pf.conf
>> that allows blocking of ip's that endlessly try to break in or one I
>> can add trouble some ip's to a table to that would be really cool.
>>
>> Here is the rule set I am asking for help with
>>
>> Thank you for your time trouble and help it will be appreciated.
>>
>> Kind regards
>>
>> Godfrey
>>
>>
>>
>>
>> # pf config - K.Andreev 20140604
>>
>> ext_if = "vr0"
>>
>> set loginterface $ext_if
>>
>> set skip on lo
>>
>> table <bruteforce> persist
>>
>> table <blocked_subnets> persist file "/etc/blocked_subnets"
>>
>> tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
>>
>> udp_pass = "{ 21 53 }"
>>
>> block all
>>
>> block in log quick on $ext_if from <blocked_subnets> to any
>> block out log quick on $ext_if from any to <blocked_subnets>
>>
>> block quick from <bruteforce>
>>
>> pass quick proto { tcp, udp } from any to any port ssh \
>> flags S/SA keep state \
>> (max-src-conn 15, max-src-conn-rate 5/3, \
>> overload <bruteforce> flush global)
>>
>> pass log on $ext_if proto tcp to any port $tcp_pass keep state
>>
>> pass out on $ext_if proto udp to any port $udp_pass keep state
>>
>> pass inet proto icmp from any to any keep state
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> you need to add a rule for icmp I do this:
>
> icmptypes="{echoreq,unreach}"
> pass in on $ext_if inet proto icmp all icmp-type $icmptypes
>
> so that fixes your ping issue
>
> for brutes I do this only for SSH:
> brutes="{22, 6015}"
> pass in on $ext_if inet proto tcp from any to any port $brutes flags S/SA
> keep s tate (max-src-conn 3, max-src-conn-rate 3/10, overload
> <bruteforce> flush global )
>
> Hope this helps you.
>
More information about the freebsd-questions
mailing list