PF issue since 11.2-RELEASE
asv at inhio.net
Thu Jan 31 11:11:37 UTC 2019
one good news and one bad news.
Good news is that it was that bloody zero missing which was "freaking
out" PF during the reload. How could I missed that? Perhaps erroneously
removed during the upgrade somehow or it was there but not causing
problems?! I'll never know. But it's fixed so thank you very much for
the good catch!
The bad news is that PF is still not enforcing the rules within the
anchors. So fail2ban keeps populating the tables where the previously
mentioned rules are in place (reposted below) but these IPs keeps
bombing me with connection attempts passing the firewall with no
problems at all. Killing the states, reloading, restarting (PF and
fail2ban) doesn't fix that.
# pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
block drop quick proto udp from <f2b-asterisk-udp> to any port = sip
block drop quick proto udp from <f2b-asterisk-udp> to any port = sip-tls
# pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
block drop quick proto tcp from <f2b-asterisk-tcp> to any port = sip
block drop quick proto tcp from <f2b-asterisk-tcp> to any port = sip-tls
Is it a known bug?
On Tue, 2019-01-29 at 20:36 +0100, Kristof Provost wrote:
> On 2019-01-29 20:31:53 (+0100), ASV <asv at inhio.net> wrote:
> > OK, I understand. Here it follows my pf.conf:
> > ext_if="lagg0"
> > tun0_if="tun0"
> > B01="172.16.3.2"
> > K01="172.16.3.3"
> > W01="172.16.3.4"
> > W03="172.16.3.5"
> > K02="172.16.3.6"
> > W02="172.16.3.7"
> > set skip on lo
> Try 'set skip on lo0'
> There have been issues with groups in 'set skip' handling. They
> be fixed in CURRENT, but 11.2 is affected.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: This is a digitally signed message part
More information about the freebsd-questions