Date: Wed, 25 Feb 2015 16:27:32 +0100 From: Hasse Hansson <hasse@thorshammare.org> To: Godfrey Hamshire <freebsdlist@compudoc.za.net> Cc: FreeBSD Users <freebsd-questions@freebsd.org> Subject: Re: Help requested with pf.conf firewall script Message-ID: <20150225152732.GA78280@ymer.thorshammare.org> In-Reply-To: <0B6F89C4C603445FA59AEB72931207A0@workstation> References: <0B6F89C4C603445FA59AEB72931207A0@workstation>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 21, 2015 at 06:29:29PM +0200, Godfrey Hamshire wrote:
> Help requested with pf.conf
>
> Hello
>
> I would be most greatful if some kind member could assist me.
>
> I am in the process of setting up a mail/web server etc.
>
> I want to be able to block ip's that try brute force attacks and those that try and break in using hundreds of usernames and passwords.
>
> I found this set of rules as set out below, they are not mine but belong to K.Andreev, there is nothing wrong with them, I just want to be able to ping and traceroute from the server and cant.
>
> I have tried all sorts combinations with the last line, from various sites via google and cant get it to ping or any of that stuff. Not being too clued up on this aspect I am asking for assistance.
>
> This is what I am getting when I try to ping.
>
> PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
> ping: sendto: No route to host
> ping: sendto: No route to host
>
> If to save a lot of hassel the reader of this has a working pf.conf that allows blocking of ip's that endlessly try to break in or one I can add trouble some ip's to a table to that would be really cool.
>
> Here is the rule set I am asking for help with
>
> Thank you for your time trouble and help it will be appreciated.
>
> Kind regards
>
> Godfrey
>
>
>
>
> # pf config - K.Andreev 20140604
>
> ext_if = "vr0"
>
> set loginterface $ext_if
>
> set skip on lo
>
> table <bruteforce> persist
>
> table <blocked_subnets> persist file "/etc/blocked_subnets"
>
> tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
>
> udp_pass = "{ 21 53 }"
>
> block all
>
> block in log quick on $ext_if from <blocked_subnets> to any
> block out log quick on $ext_if from any to <blocked_subnets>
>
> block quick from <bruteforce>
>
> pass quick proto { tcp, udp } from any to any port ssh \
> flags S/SA keep state \
> (max-src-conn 15, max-src-conn-rate 5/3, \
> overload <bruteforce> flush global)
>
> pass log on $ext_if proto tcp to any port $tcp_pass keep state
>
> pass out on $ext_if proto udp to any port $udp_pass keep state
>
> pass inet proto icmp from any to any keep state
>
>
> ______________________________________________
Hello
Here is two of my pf rules. The first is for ping and the latter one for traceroute.
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
/hasse
_
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150225152732.GA78280>