From owner-freebsd-questions@FreeBSD.ORG Wed Feb 25 15:48:09 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0C3F8C6 for ; Wed, 25 Feb 2015 15:48:08 +0000 (UTC) Received: from smtprelay-b21.telenor.se (smtprelay-b21.telenor.se [195.54.99.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 654789D8 for ; Wed, 25 Feb 2015 15:48:07 +0000 (UTC) Received: from ipb1.telenor.se (ipb1.telenor.se [195.54.127.164]) by smtprelay-b21.telenor.se (Postfix) with ESMTP id BF626144E3 for ; Wed, 25 Feb 2015 16:25:27 +0100 (CET) X-SENDER-IP: [83.227.180.133] X-LISTENER: [smtp.bredband.net] X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2BiCQDs6O1U/4W041NbgwJSWsMbhXIEAgKBIkQBAQEBAQF8hBABBTocIxALDgoJExIPBRgBDCSIRgHVUwEBAQEBAQQBAQEBAQEcixOEHQEBTweDF4EUBZM8hWQBgRuOZYM+IoF/H4FRPTGBC4E4AQEB X-IPAS-Result: A2BiCQDs6O1U/4W041NbgwJSWsMbhXIEAgKBIkQBAQEBAQF8hBABBTocIxALDgoJExIPBRgBDCSIRgHVUwEBAQEBAQQBAQEBAQEcixOEHQEBTweDF4EUBZM8hWQBgRuOZYM+IoF/H4FRPTGBC4E4AQEB X-IronPort-AV: E=Sophos;i="5.09,645,1418079600"; d="scan'208";a="179689012" Received: from ua-83-227-180-133.cust.bredbandsbolaget.se (HELO ymer.thorshammare.org) ([83.227.180.133]) by ipb1.telenor.se with ESMTP; 25 Feb 2015 16:25:26 +0100 Received: by ymer.thorshammare.org (Postfix, from userid 1002) id 5FB741125E3; Wed, 25 Feb 2015 16:27:32 +0100 (CET) Date: Wed, 25 Feb 2015 16:27:32 +0100 From: Hasse Hansson To: Godfrey Hamshire Subject: Re: Help requested with pf.conf firewall script Message-ID: <20150225152732.GA78280@ymer.thorshammare.org> References: <0B6F89C4C603445FA59AEB72931207A0@workstation> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0B6F89C4C603445FA59AEB72931207A0@workstation> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD Users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 15:48:09 -0000 On Sat, Feb 21, 2015 at 06:29:29PM +0200, Godfrey Hamshire wrote: > Help requested with pf.conf > > Hello > > I would be most greatful if some kind member could assist me. > > I am in the process of setting up a mail/web server etc. > > I want to be able to block ip's that try brute force attacks and those that try and break in using hundreds of usernames and passwords. > > I found this set of rules as set out below, they are not mine but belong to K.Andreev, there is nothing wrong with them, I just want to be able to ping and traceroute from the server and cant. > > I have tried all sorts combinations with the last line, from various sites via google and cant get it to ping or any of that stuff. Not being too clued up on this aspect I am asking for assistance. > > This is what I am getting when I try to ping. > > PING dns.cdoc.co.za (41.185.26.52): 56 data bytes > ping: sendto: No route to host > ping: sendto: No route to host > > If to save a lot of hassel the reader of this has a working pf.conf that allows blocking of ip's that endlessly try to break in or one I can add trouble some ip's to a table to that would be really cool. > > Here is the rule set I am asking for help with > > Thank you for your time trouble and help it will be appreciated. > > Kind regards > > Godfrey > > > > > # pf config - K.Andreev 20140604 > > ext_if = "vr0" > > set loginterface $ext_if > > set skip on lo > > table persist > > table persist file "/etc/blocked_subnets" > > tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}" > > udp_pass = "{ 21 53 }" > > block all > > block in log quick on $ext_if from to any > block out log quick on $ext_if from any to > > block quick from > > pass quick proto { tcp, udp } from any to any port ssh \ > flags S/SA keep state \ > (max-src-conn 15, max-src-conn-rate 5/3, \ > overload flush global) > > pass log on $ext_if proto tcp to any port $tcp_pass keep state > > pass out on $ext_if proto udp to any port $udp_pass keep state > > pass inet proto icmp from any to any keep state > > > ______________________________________________ Hello Here is two of my pf rules. The first is for ping and the latter one for traceroute. pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state /hasse _