Date: Mon, 3 Nov 2014 21:40:50 +1100 (EST) From: Dave Horsfall <dave@horsfall.org> To: FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Getting tables to work in PF Message-ID: <alpine.BSF.2.00.1411032123560.1220@aneurin.horsfall.org> In-Reply-To: <CAPBZQG2DKNGSGRNu8%2BMAdEtyH5vj85dpxRUY2kMwDOZ44f7PJA@mail.gmail.com> References: <alpine.BSF.2.00.1411031433070.1220@aneurin.horsfall.org> <CAPBZQG2b7=iiGLsj-vtuiaWRUJ-Gk6n9JwCXxVjCMeVEqsuing@mail.gmail.com> <alpine.BSF.2.00.1411032002560.1220@aneurin.horsfall.org> <CAPBZQG2DKNGSGRNu8%2BMAdEtyH5vj85dpxRUY2kMwDOZ44f7PJA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, 3 Nov 2014, Ermal Luçi wrote: > - Full ruleset if you can disclose As attached - no secrets in it. It's somewhat loose because it's behind another firewall (the ADSL modem) that just lets SMTP/HTTP/SSH-secret-port through to it (I've masked the SSH port). > - Make sure with output of pfctl -s all that pf is actually enabled to > do filtering on packets. Attached; the empty "FILTER RULES" looks a bit suspicious... > NOTE: You enable pf by running pfctl -e I know; I was using "service pf restart" as well. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) [-- Attachment #2 --] # netman.cust.fsi.io 216.66.15.120 [-- Attachment #3 --] # # Stripped down heavily from KD (OpenBSD). # This box has no other interfaces, and is facing the net. # # In other words, there is no internal interface; this box is # all that there is, hence is self-firewalled. # ext_if = "fxp0" set block-policy drop set skip on lo set loginterface egress # Can't remember what this does #set ruleset-optimization basic # # Does this actually create the table? Because it sure as hell doesn't # load it... For that I need "pfctl [-v] -t spammers -Tadd x.x.x.x" # table <spammers> persist file "/etc/spammers" # # SMTP mostly, but could use for www, ssh, etc. # # Cleanse every so often with "pfctl -t woodpeckers -T seconds. # table <woodpeckers> persist scrub in # Unfrag packets block all # But wait, there's more! pass out quick all keep state antispoof log quick for $ext_if inet block in log quick on $ext_if from <spammers> to any block in log quick on $ext_if from <woodpeckers> # No more than 10/IP, or 5/minute should be plenty. pass inet proto tcp from any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/60, \ overload <woodpeckers> flush global) # Problem packet prevention block in log quick from no-route to any block in log quick on $ext_if from any to 255.255.255.255 block in log quick from any to 0.0.0.0/32 block in log quick from { 224.0.0.0/4, 255.255.255.255/32 } to any # What about 44/8? # Testing #block in quick log on $ext_if proto tcp port smtp from any to any # Allowed services handled here # DH - NNNN is where I park my SSHD pass in quick on $ext_if proto tcp from any to any port \ { smtp, www, domain, NNNN, sftp } flags S/SA keep state pass in quick on $ext_if proto udp from any to any port { domain, ntp } keep state pass in quick on $ext_if inet proto icmp from any to any icmp-type unreach pass in quick on $ext_if inet proto igmp from any to any [-- Attachment #4 --] FILTER RULES: INFO: Status: Enabled for 0 days 14:10:09 Debug: Urgent State Table Total Rate current entries 0 searches 115778 2.3/s inserts 0 0.0/s removals 0 0.0/s Counters match 115778 2.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 408 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: spammers woodpeckers OS FINGERPRINTS: 696 fingerprints loaded
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1411032123560.1220>