From owner-freebsd-questions@freebsd.org Thu Jan 31 11:11:37 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABCE0135747A for ; Thu, 31 Jan 2019 11:11:37 +0000 (UTC) (envelope-from asv@inhio.net) Received: from cz-prg-mx-01.inhio.net (mail.inhio.net [178.238.36.226]) by mx1.freebsd.org (Postfix) with ESMTP id 92A7287158 for ; Thu, 31 Jan 2019 11:11:32 +0000 (UTC) (envelope-from asv@inhio.net) Received: from titanio (titanio.inhio.net [10.0.0.21]) by cz-prg-mx-01.inhio.net (Postfix) with ESMTPSA id E16D822B24; Thu, 31 Jan 2019 12:11:23 +0100 (CET) Message-ID: Subject: Re: PF issue since 11.2-RELEASE From: ASV To: Kristof Provost Cc: questions list Date: Thu, 31 Jan 2019 12:11:15 +0100 In-Reply-To: <20190129193609.GB57976@vega.codepro.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <20190129193609.GB57976@vega.codepro.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-VrYQxHdmG0Kt6vk0O2gL" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 X-Rspamd-Queue-Id: 92A7287158 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of asv@inhio.net designates 178.238.36.226 as permitted sender) smtp.mailfrom=asv@inhio.net X-Spamd-Result: default: False [-4.12 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[inhio.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[mail.inhio.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.32)[-0.323,0]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:24971, ipnet:178.238.32.0/20, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.01)[country: CZ(0.03)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2019 11:11:37 -0000 --=-VrYQxHdmG0Kt6vk0O2gL Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Good afternoon, one good news and one bad news. Good news is that it was that bloody zero missing which was "freaking out" PF during the reload. How could I missed that? Perhaps erroneously removed during the upgrade somehow or it was there but not causing problems?! I'll never know. But it's fixed so thank you very much for the good catch! The bad news is that PF is still not enforcing the rules within the anchors. So fail2ban keeps populating the tables where the previously mentioned rules are in place (reposted below) but these IPs keeps bombing me with connection attempts passing the firewall with no problems at all. Killing the states, reloading, restarting (PF and fail2ban) doesn't fix that. # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules block drop quick proto udp from to any port =3D sip block drop quick proto udp from to any port =3D sip-tls # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules block drop quick proto tcp from to any port =3D sip block drop quick proto tcp from to any port =3D sip-tls Is it a known bug? On Tue, 2019-01-29 at 20:36 +0100, Kristof Provost wrote: > On 2019-01-29 20:31:53 (+0100), ASV wrote: > > OK, I understand. Here it follows my pf.conf: > >=20 > > ext_if=3D"lagg0" > > tun0_if=3D"tun0" > > B01=3D"172.16.3.2" > > K01=3D"172.16.3.3" > > W01=3D"172.16.3.4" > > W03=3D"172.16.3.5" > > K02=3D"172.16.3.6" > > W02=3D"172.16.3.7" > >=20 > > set skip on lo >=20 > Try 'set skip on lo0' >=20 > There have been issues with groups in 'set skip' handling. They > *should* > be fixed in CURRENT, but 11.2 is affected. >=20 > Regards, > Kristof >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" --=-VrYQxHdmG0Kt6vk0O2gL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxS19MACgkQzaQsUNd+ zInsBgf8CVB2bL2n081HRHMk3wc/hbHxqMm9/Z0i3FP8IgVp1hjXG+JaoSI2IF8D A6j2TDpGBMqJEtu/fx7rkPiN2uAyyZMg1HIQPZbmCTZUwyagfMcIRp6BWM2VGc/a OxIgalW+SW+U9xnDVXjaeH/d9tCzvhxK31OKBt2X31cMoxPjphJZttNcj+Um2QW2 F8YDcneYJpaVcHI1LBFY+at+ahtRRR/kjVkI4MQpEwES1wKrqj2ugiW/pu5iFOsy kKabj6Z5JfHVWo5ndLV/iz4TZtGDH/or9TfP3L5FAsfG552OTeOv8zBdSy4mctck /+TB9BXtqS10mrzEioKPZnIUffPenQ== =j7se -----END PGP SIGNATURE----- --=-VrYQxHdmG0Kt6vk0O2gL--