PF issue since 11.2-RELEASE

ASV asv at inhio.net
Sun Feb 3 20:43:32 UTC 2019 

You are right, that was missing!

So in the end (for the record)
- I've added anchor "f2b/*" which was missing
- I've removed the f2b/asterisk as I've managed to handle it directly through fail2ban with some adjusting (which is how it should be)
- I've changed "lo" to "lo0" on "set skip on" rule (as you suggested) and that fixed the network getting stuck (but that's probably a bug)
- I've fixed the fail2ban default block rule which was missing "in" and "on <interface>" and that was the reason why wasn't blocking anything

Everything finally seems to be working as expected.
Thanks A LOT for your time, very appreciated indeed!

Cheers.


On Sun, 2019-02-03 at 16:26 +0100, Kristof Provost wrote:
> 
> 
> On 1 Feb 2019, at 10:33, ASV wrote:
> > On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote:
> > > On 31 Jan 2019, at 12:11, ASV wrote:
> > > > Good afternoon,
> > > > one good news and one bad news.
> > > > 
> > > > Good news is that it was that bloody zero missing which was
> > > > "freaking
> > > > out" PF during the reload. How could I missed that? Perhaps
> > > > erroneously
> > > > removed during the upgrade somehow or it was there but not
> > > > causing
> > > > problems?! I'll never know. But it's fixed so thank you very
> > > > much
> > > > for
> > > > the good catch!
> > > > 
> > > > The bad news is that PF is still not enforcing the rules within
> > > > the
> > > > anchors. So fail2ban keeps populating the tables where the
> > > > previously
> > > > mentioned rules are in place (reposted below) but these IPs
> > > > keeps
> > > > bombing me with connection attempts passing the firewall with
> > > > no
> > > > problems at all. Killing the states, reloading, restarting (PF
> > > > and
> > > > fail2ban) doesn't fix that.
> > > > 
> > > > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
> > > > block drop quick proto udp from <f2b-asterisk-udp> to any port
> > > > =
> > > > sip
> > > > block drop quick proto udp from <f2b-asterisk-udp> to any port
> > > > =
> > > > sip-tls
> > > > 
> > > > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
> > > > block drop quick proto tcp from <f2b-asterisk-tcp> to any port
> > > > =
> > > > sip
> > > > block drop quick proto tcp from <f2b-asterisk-tcp> to any port
> > > > =
> > > > sip-tls
> > > 
> > > I don’t use anchors myself, but don’t you need to call them from
> > > your
> > > main ruleset?
> > 
> > Anchors are called and the blocking rule is set within:
> > 
> > anchor f2b {
> > anchor asterisk {
> > block in quick log to any
> > }
> > }
> 
> You have to ‘anchor "f2b/*”’ in your main ruleset to get anchor
> ‘f2b/asterisk-tcp’ to be used.
> Regards,
> Kristof
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190203/3c85dcc0/attachment.sig>

More information about the freebsd-questions mailing list