From owner-freebsd-pf@FreeBSD.ORG Tue Dec 27 12:28:40 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 232F516A41F for ; Tue, 27 Dec 2005 12:28:40 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: from mail.etsplus.net (cable-tv.sumy.ua [193.110.17.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3859043D5A for ; Tue, 27 Dec 2005 12:28:38 +0000 (GMT) (envelope-from butsyk@mail.etsplus.net) Received: (qmail 12324 invoked by uid 80); 27 Dec 2005 12:29:02 -0000 Received: from 193.110.17.129 (SquirrelMail authenticated user butsyk@mail.etsplus.net) by mail.etsplus.net with HTTP; Tue, 27 Dec 2005 14:29:02 +0200 (EET) Message-ID: <56746.193.110.17.129.1135686542.squirrel@mail.etsplus.net> In-Reply-To: <43B0574D.30406@forrie.com> References: <43B0574D.30406@forrie.com> Date: Tue, 27 Dec 2005 14:29:02 +0200 (EET) From: "Anton Butsyk" To: pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Subject: Re: Block rule not working... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 12:28:40 -0000 > My pf.conf is below. > > I have this idiot at 24.147.135.133 who has been attempting to break my > webserver for about a week - presumably he's running some script. Port > 80 of his machine has an impressive MP3 collection. > > Comcast doesn't care, so my reports have been unheard. > > I have rules to block this /24, but he manages to get through anyway. > First, I block via a negation to the table, second I have an > explicit block rule to block all traffic from anyone in that table. > > Since the block rule comes first before the "pass" rule below, I would > presume it would work. > > I can match it in the table, it's there. > > Can anyone tell me what's wrong with the rules so I can correct this ASAP. > > > Thank you. > > > ext_if = "fxp0" > int_if = "em0" > prv_if = "em0" > server = "192.168.1.2/32" > ext_ad = "xx.xx.xx.xx/32" > prv_ad = "192.168.1.2/32" > prv_net = "192.168.1.0/24" > > > tcp_services = "imap, imaps, smtp, smtps" > > > set require-order yes > set limit { frags 30000, states 25000 } > set block-policy drop > set optimization normal > > > set timeout tcp.first 20 > set timeout { udp.first 300, udp.single 150, udp.multiple 900 } > > > > table persist file "/etc/pf.d/spammers" \ > file "/etc/pf.d/abuse" \ > file "/etc/pf.d/geoip" > > table persist file "/etc/pf.d/spammers" > * > table persist file "/etc/pf.d/abuse"* > > table persist file "/etc/pf.d/spammers" > > > scrub all reassemble tcp no-df > scrub in all fragment reassemble > scrub out all random-id > > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port { $tcp_services } -> $server > > *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port 80 -> $server port 80* > > *rdr on $ext_if inet proto tcp from ! to ($ext_if) \ > port 443 -> $server port 443* > > > > antispoof quick for $ext_if > > set skip on lo0 > > block log all > *block in quick on $ext_if from to any* > block in quick on $ext_if proto tcp from to port { smtp, smtps, > imap, imaps } > > pass quick on $int_if inet all keep state > > > pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ > modulate state > > pass in on $ext_if inet proto tcp from any to any port { 80, 443 } > modulate state > > > > pass in on $ext_if inet proto udp all keep state > > pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) > > > pass out quick on $ext_if inet proto tcp all \ > keep state > > pass out quick on $ext_if inet proto udp all keep state > > pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state > -- Hi, Forrest. Is pf enabled? Is $ext_if the interface for 24.147.135.133's packets? Why don't you try to replace definition with table const { 24.147.135.133, 24.147.135/24 } or any addresses you want and rule without iface: block in quick from to any -- Regards, Anton Butsyk http://studiori.net/