From owner-freebsd-questions@freebsd.org Sun Feb 3 20:43:32 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2007414B1FED for ; Sun, 3 Feb 2019 20:43:32 +0000 (UTC) (envelope-from asv@inhio.net) Received: from cz-prg-mx-01.inhio.net (mail.inhio.net [178.238.36.226]) by mx1.freebsd.org (Postfix) with ESMTP id 210AA85B4A for ; Sun, 3 Feb 2019 20:43:29 +0000 (UTC) (envelope-from asv@inhio.net) Received: from titanio (titanio.inhio.net [10.0.0.21]) by cz-prg-mx-01.inhio.net (Postfix) with ESMTPSA id 1720C24506; Sun, 3 Feb 2019 21:43:20 +0100 (CET) Message-ID: Subject: Re: PF issue since 11.2-RELEASE From: ASV To: Kristof Provost Cc: questions list Date: Sun, 03 Feb 2019 21:43:10 +0100 In-Reply-To: <764DE990-3AC5-43F5-A05B-68C3346AB819@sigsegv.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <20190129193609.GB57976@vega.codepro.be> <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> <8918ed58705259aebcf0b5254fd28d161b4d31b5.camel@inhio.net> <764DE990-3AC5-43F5-A05B-68C3346AB819@sigsegv.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-75JpOTnwN9/9wvoB9+6Y" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 X-Rspamd-Queue-Id: 210AA85B4A X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of asv@inhio.net designates 178.238.36.226 as permitted sender) smtp.mailfrom=asv@inhio.net X-Spamd-Result: default: False [-5.52 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[inhio.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[mail.inhio.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.94)[-0.941,0]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:24971, ipnet:178.238.32.0/20, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.77)[asn: 24971(-3.88), country: CZ(0.03)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2019 20:43:32 -0000 --=-75JpOTnwN9/9wvoB9+6Y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You are right, that was missing! So in the end (for the record) - I've added anchor "f2b/*" which was missing - I've removed the f2b/asterisk as I've managed to handle it directly throu= gh fail2ban with some adjusting (which is how it should be) - I've changed "lo" to "lo0" on "set skip on" rule (as you suggested) and t= hat fixed the network getting stuck (but that's probably a bug) - I've fixed the fail2ban default block rule which was missing "in" and "on= " and that was the reason why wasn't blocking anything Everything finally seems to be working as expected. Thanks A LOT for your time, very appreciated indeed! Cheers. On Sun, 2019-02-03 at 16:26 +0100, Kristof Provost wrote: >=20 >=20 > On 1 Feb 2019, at 10:33, ASV wrote: > > On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote: > > > On 31 Jan 2019, at 12:11, ASV wrote: > > > > Good afternoon, > > > > one good news and one bad news. > > > >=20 > > > > Good news is that it was that bloody zero missing which was > > > > "freaking > > > > out" PF during the reload. How could I missed that? Perhaps > > > > erroneously > > > > removed during the upgrade somehow or it was there but not > > > > causing > > > > problems?! I'll never know. But it's fixed so thank you very > > > > much > > > > for > > > > the good catch! > > > >=20 > > > > The bad news is that PF is still not enforcing the rules within > > > > the > > > > anchors. So fail2ban keeps populating the tables where the > > > > previously > > > > mentioned rules are in place (reposted below) but these IPs > > > > keeps > > > > bombing me with connection attempts passing the firewall with > > > > no > > > > problems at all. Killing the states, reloading, restarting (PF > > > > and > > > > fail2ban) doesn't fix that. > > > >=20 > > > > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules > > > > block drop quick proto udp from to any port > > > > =3D > > > > sip > > > > block drop quick proto udp from to any port > > > > =3D > > > > sip-tls > > > >=20 > > > > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules > > > > block drop quick proto tcp from to any port > > > > =3D > > > > sip > > > > block drop quick proto tcp from to any port > > > > =3D > > > > sip-tls > > >=20 > > > I don=E2=80=99t use anchors myself, but don=E2=80=99t you need to cal= l them from > > > your > > > main ruleset? > >=20 > > Anchors are called and the blocking rule is set within: > >=20 > > anchor f2b { > > anchor asterisk { > > block in quick log to any > > } > > } >=20 > You have to =E2=80=98anchor "f2b/*=E2=80=9D=E2=80=99 in your main ruleset= to get anchor > =E2=80=98f2b/asterisk-tcp=E2=80=99 to be used. > Regards, > Kristof --=-75JpOTnwN9/9wvoB9+6Y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxXUl4ACgkQzaQsUNd+ zImJOAf9Hre5+03bt6dApdmbHSbD1XI8/iP+3yzsTMCXYa1yljsSCdUiK6l7rpNv RmABJl8JkEIupRPdlWGp/nj5FF3HGK33oYKCM1aKAexyMK1DvZX5EI8eI0rT4Nbc ljGW8N38a+nFc9SqTy5kspYJ6dQz5AJ9ArlMbjJMfm1AITC7BBkBJSPazIgNGhQA I9XoYU+Ps6cigVEAxpYIz36CIkhFti+ydlHZN5jsJYNe3q7meMZX92wxm/93qG/U VgABkV8dRMs7tVrpNvSBvr5/0tb4obKH3zTWTK36TbRkLVJeP2ojWPDn482ALiTk nGWUrzrCQZg7RV8mcMzfqIz5lltDAw== =jdL1 -----END PGP SIGNATURE----- --=-75JpOTnwN9/9wvoB9+6Y--