PF issue since 11.2-RELEASE
Kristof Provost
kristof at sigsegv.be
Thu Jan 31 21:00:39 UTC 2019
On 31 Jan 2019, at 12:11, ASV wrote:
> Good afternoon,
> one good news and one bad news.
>
> Good news is that it was that bloody zero missing which was "freaking
> out" PF during the reload. How could I missed that? Perhaps erroneously
> removed during the upgrade somehow or it was there but not causing
> problems?! I'll never know. But it's fixed so thank you very much for
> the good catch!
>
> The bad news is that PF is still not enforcing the rules within the
> anchors. So fail2ban keeps populating the tables where the previously
> mentioned rules are in place (reposted below) but these IPs keeps
> bombing me with connection attempts passing the firewall with no
> problems at all. Killing the states, reloading, restarting (PF and
> fail2ban) doesn't fix that.
>
> # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
> block drop quick proto udp from <f2b-asterisk-udp> to any port = sip
> block drop quick proto udp from <f2b-asterisk-udp> to any port = sip-tls
>
> # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
> block drop quick proto tcp from <f2b-asterisk-tcp> to any port = sip
> block drop quick proto tcp from <f2b-asterisk-tcp> to any port = sip-tls
>
I don’t use anchors myself, but don’t you need to call them from your main ruleset?
Regards,
Kristof
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 903 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190131/3f86477f/attachment.sig>
More information about the freebsd-questions
mailing list