From owner-freebsd-questions@FreeBSD.ORG Tue Sep 18 03:13:25 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0ECB916A417 for ; Tue, 18 Sep 2007 03:13:25 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98]) by mx1.freebsd.org (Postfix) with ESMTP id B8B4513C46A for ; Tue, 18 Sep 2007 03:13:24 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id 2CA1C1711A; Mon, 17 Sep 2007 22:13:24 -0500 (CDT) Date: Mon, 17 Sep 2007 22:13:24 -0500 From: Erik Osterholm To: Agus Message-ID: <20070918031323.GA46854@idoru.cepheid.org> Mail-Followup-To: Erik Osterholm , Agus , freebsd-questions@freebsd.org References: <200709152336.27214.fbsd.questions@rachie.is-a-geek.net> <46EEB13C.4020509@kinetix.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-questions@freebsd.org Subject: Re: How to add rule with pfctl... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2007 03:13:25 -0000 On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote: > Agus wrote: > > > > 2007/9/15, Mel : > > > > On Saturday 15 September 2007 23:18:17 Agus wrote: > > > > I am trying to figure out how to add a firewall rule with pfctl... > > This is what i'm trying to do... > > > > I've got SEC that matches certain pattern and takes the IP from that and > > want to trigger a firewall rule to block that IP.... > > Then after a couple of hours SEC will trigger the command to un-block > > > > the > > > > IP... > > So what i need is the command to block an IP address from command line, > > > > not > > > > touching any pf.conf.... > > > > If you don't need to add a rule but an IP, then tables are your friend. > > Example for /etc/pf.conf: > > # Placeholder for spammers table, non-routable network IP. > > table persist { 192.168.111.111 } > > # Block this traffic > > block return-rst in log on $ext_if proto tcp from port smtp > > > > Then on the command line: > > /sbin/pfctl -t spammers -Tadd ip.from.new.spammer > > And to delete: > > /sbin/pfctl -t spammers -Tdel ip.from.old.spammer > > > > -- > > Mel > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > > Hi, > > I put this on /etc/pf.conf > > external_addr="192.168.1.11" which is the address of the only interface. > > This machine isn't a router. > > > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > > $external_addr port ssh > > > > but when i try to connect from 192.168.0.1 i connect with no problems...this > > rule is to block access.. > > What am i doing wrong..is my first time with pf... > > > > Thankss... > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > > 2007/9/17, Goltsios Theodore : > Well I think that you mean to add this: > > ext_if="rl0" # Or whatever your interface is ifconfig helps to find out > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if > port ssh > > or even: > ext_if="rl0" > external_addr="192.168.1.11" > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > $external_addr port ssh > > Think of macros as variables. As long as you don't define them they don't > exist (are empty). > > > > I knowTheodore, i've done it exactly like u put it....first declare macros > and then the rule.... > but i couldn't block access to the machine....this rule is supposed to block > all access to port 22 on the machine coming from 192.168.0.1....but I can > access from there... > > i checked pfctl -e > pfctl -sa > > and everything seems to be loaded... > > Thanks... Are you sure that you're trying to block only from a specific host? The source address shouldn't change, even if you're doing nat. I would assume that you'd want an 'any' keyword there, rather than a specific IP address. Also, you can add hosts to the table automatically based on number of connections over a given period of time: block quick from pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state (max-src-conn-rate 5/30, overload flush global) The first rule blocks hosts from the blackhole table. The second adds hosts to the blackhole table and kills their state if they connect more than 5 times in 30 seconds. This is obviously tunable-- 3/30 would be 3 connections in 30 seconds, and 8/60 would be 8 connections in 60 seconds. Erik