Date: Sun, 03 Feb 2019 21:43:10 +0100 From: ASV <asv@inhio.net> To: Kristof Provost <kristof@sigsegv.be> Cc: questions list <freebsd-questions@freebsd.org> Subject: Re: PF issue since 11.2-RELEASE Message-ID: <ac80886840472a2d307a6e671a95b008e1a24d70.camel@inhio.net> In-Reply-To: <764DE990-3AC5-43F5-A05B-68C3346AB819@sigsegv.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <F26DA908-F2AC-4CBF-8227-A4C3D21865EE@FreeBSD.org> <e336fd332455cc9fe9f722482aae09ed6eeab610.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <a801e46a5c4ca3aaa8bc4d6b270319840908ad44.camel@inhio.net> <20190129193609.GB57976@vega.codepro.be> <c89b0bfc5decb895432b8427e4e70d58c5a7f0c9.camel@inhio.net> <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> <8918ed58705259aebcf0b5254fd28d161b4d31b5.camel@inhio.net> <764DE990-3AC5-43F5-A05B-68C3346AB819@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-75JpOTnwN9/9wvoB9+6Y
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
You are right, that was missing!
So in the end (for the record)
- I've added anchor "f2b/*" which was missing
- I've removed the f2b/asterisk as I've managed to handle it directly throu=
gh fail2ban with some adjusting (which is how it should be)
- I've changed "lo" to "lo0" on "set skip on" rule (as you suggested) and t=
hat fixed the network getting stuck (but that's probably a bug)
- I've fixed the fail2ban default block rule which was missing "in" and "on=
<interface>" and that was the reason why wasn't blocking anything
Everything finally seems to be working as expected.
Thanks A LOT for your time, very appreciated indeed!
Cheers.
On Sun, 2019-02-03 at 16:26 +0100, Kristof Provost wrote:
>=20
>=20
> On 1 Feb 2019, at 10:33, ASV wrote:
> > On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote:
> > > On 31 Jan 2019, at 12:11, ASV wrote:
> > > > Good afternoon,
> > > > one good news and one bad news.
> > > >=20
> > > > Good news is that it was that bloody zero missing which was
> > > > "freaking
> > > > out" PF during the reload. How could I missed that? Perhaps
> > > > erroneously
> > > > removed during the upgrade somehow or it was there but not
> > > > causing
> > > > problems?! I'll never know. But it's fixed so thank you very
> > > > much
> > > > for
> > > > the good catch!
> > > >=20
> > > > The bad news is that PF is still not enforcing the rules within
> > > > the
> > > > anchors. So fail2ban keeps populating the tables where the
> > > > previously
> > > > mentioned rules are in place (reposted below) but these IPs
> > > > keeps
> > > > bombing me with connection attempts passing the firewall with
> > > > no
> > > > problems at all. Killing the states, reloading, restarting (PF
> > > > and
> > > > fail2ban) doesn't fix that.
> > > >=20
> > > > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
> > > > block drop quick proto udp from <f2b-asterisk-udp> to any port
> > > > =3D
> > > > sip
> > > > block drop quick proto udp from <f2b-asterisk-udp> to any port
> > > > =3D
> > > > sip-tls
> > > >=20
> > > > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
> > > > block drop quick proto tcp from <f2b-asterisk-tcp> to any port
> > > > =3D
> > > > sip
> > > > block drop quick proto tcp from <f2b-asterisk-tcp> to any port
> > > > =3D
> > > > sip-tls
> > >=20
> > > I don=E2=80=99t use anchors myself, but don=E2=80=99t you need to cal=
l them from
> > > your
> > > main ruleset?
> >=20
> > Anchors are called and the blocking rule is set within:
> >=20
> > anchor f2b {
> > anchor asterisk {
> > block in quick log to any
> > }
> > }
>=20
> You have to =E2=80=98anchor "f2b/*=E2=80=9D=E2=80=99 in your main ruleset=
to get anchor
> =E2=80=98f2b/asterisk-tcp=E2=80=99 to be used.
> Regards,
> Kristof
--=-75JpOTnwN9/9wvoB9+6Y
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxXUl4ACgkQzaQsUNd+
zImJOAf9Hre5+03bt6dApdmbHSbD1XI8/iP+3yzsTMCXYa1yljsSCdUiK6l7rpNv
RmABJl8JkEIupRPdlWGp/nj5FF3HGK33oYKCM1aKAexyMK1DvZX5EI8eI0rT4Nbc
ljGW8N38a+nFc9SqTy5kspYJ6dQz5AJ9ArlMbjJMfm1AITC7BBkBJSPazIgNGhQA
I9XoYU+Ps6cigVEAxpYIz36CIkhFti+ydlHZN5jsJYNe3q7meMZX92wxm/93qG/U
VgABkV8dRMs7tVrpNvSBvr5/0tb4obKH3zTWTK36TbRkLVJeP2ojWPDn482ALiTk
nGWUrzrCQZg7RV8mcMzfqIz5lltDAw==
=jdL1
-----END PGP SIGNATURE-----
--=-75JpOTnwN9/9wvoB9+6Y--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac80886840472a2d307a6e671a95b008e1a24d70.camel>