From owner-freebsd-pf@FreeBSD.ORG Mon Dec 26 20:47:32 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD60416A41F for ; Mon, 26 Dec 2005 20:47:32 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-147-44-26.hsd1.nh.comcast.net [24.147.44.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66B5E43D93 for ; Mon, 26 Dec 2005 20:47:22 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jBQKlMnc077485 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 26 Dec 2005 15:47:23 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <43B0574D.30406@forrie.com> Date: Mon, 26 Dec 2005 15:49:17 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051223) MIME-Version: 1.0 To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1218/Mon Dec 26 08:46:59 2005 on mail.forrie.com X-Virus-Status: Clean Cc: Subject: Block rule not working... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2005 20:47:32 -0000 My pf.conf is below. I have this idiot at 24.147.135.133 who has been attempting to break my webserver for about a week - presumably he's running some script. Port 80 of his machine has an impressive MP3 collection. Comcast doesn't care, so my reports have been unheard. I have rules to block this /24, but he manages to get through anyway. First, I block via a negation to the table, second I have an explicit block rule to block all traffic from anyone in that table. Since the block rule comes first before the "pass" rule below, I would presume it would work. I can match it in the table, it's there. Can anyone tell me what's wrong with the rules so I can correct this ASAP. Thank you. ext_if = "fxp0" int_if = "em0" prv_if = "em0" server = "192.168.1.2/32" ext_ad = "xx.xx.xx.xx/32" prv_ad = "192.168.1.2/32" prv_net = "192.168.1.0/24" tcp_services = "imap, imaps, smtp, smtps" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table persist file "/etc/pf.d/spammers" \ file "/etc/pf.d/abuse" \ file "/etc/pf.d/geoip" table persist file "/etc/pf.d/spammers" * table persist file "/etc/pf.d/abuse"* table persist file "/etc/pf.d/spammers" scrub all reassemble tcp no-df scrub in all fragment reassemble scrub out all random-id nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port { $tcp_services } -> $server *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 80 -> $server port 80* *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ port 443 -> $server port 443* antispoof quick for $ext_if set skip on lo0 block log all *block in quick on $ext_if from to any* block in quick on $ext_if proto tcp from to port { smtp, smtps, imap, imaps } pass quick on $int_if inet all keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ modulate state pass in on $ext_if inet proto tcp from any to any port { 80, 443 } modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state