From owner-freebsd-questions@freebsd.org Thu Jan 31 21:00:39 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33B6514B7854 for ; Thu, 31 Jan 2019 21:00:39 +0000 (UTC) (envelope-from srs0=ntmy=qh=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CC319716ED for ; Thu, 31 Jan 2019 21:00:37 +0000 (UTC) (envelope-from srs0=ntmy=qh=sigsegv.be=kristof@codepro.be) Received: from [10.0.2.193] (ptr-8rh08jyi21kx8ectjyk.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:1cae:49e9:e334:4e4c]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id E76012C198; Thu, 31 Jan 2019 22:00:29 +0100 (CET) From: "Kristof Provost" To: ASV Cc: "questions list" Subject: Re: PF issue since 11.2-RELEASE Date: Thu, 31 Jan 2019 22:00:23 +0100 X-Mailer: MailMate (2.0BETAr6135) Message-ID: <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> In-Reply-To: References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <20190129193609.GB57976@vega.codepro.be> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_MailMate_6B9ACF53-941F-40A4-98AC-39630D6B96D5_="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Rspamd-Queue-Id: CC319716ED X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=sigsegv.be (policy=none); spf=pass (mx1.freebsd.org: domain of srs0=ntmy=qh=sigsegv.be=kristof@codepro.be designates 5.9.86.228 as permitted sender) smtp.mailfrom=srs0=ntmy=qh=sigsegv.be=kristof@codepro.be X-Spamd-Result: default: False [-5.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[sigsegv.be : SPF not aligned (relaxed), No valid DKIM,none]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:5.9.86.228]; IP_SCORE(-0.82)[ipnet: 5.9.0.0/16(-1.84), asn: 24940(-2.27), country: DE(-0.01)]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[228.86.9.5.list.dnswl.org : 127.0.9.2]; MX_GOOD(-0.01)[mx2.codepro.be,mx1.codepro.be]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.89)[-0.894,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[kristof@sigsegv.be,srs0=ntmy=qh=sigsegv.be=kristof@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; ASN(0.00)[asn:24940, ipnet:5.9.0.0/16, country:DE]; FROM_NEQ_ENVFROM(0.00)[kristof@sigsegv.be,srs0=ntmy=qh=sigsegv.be=kristof@codepro.be]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2019 21:00:39 -0000 This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_6B9ACF53-941F-40A4-98AC-39630D6B96D5_= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 31 Jan 2019, at 12:11, ASV wrote: > Good afternoon, > one good news and one bad news. > > Good news is that it was that bloody zero missing which was "freaking > out" PF during the reload. How could I missed that? Perhaps erroneously= > removed during the upgrade somehow or it was there but not causing > problems?! I'll never know. But it's fixed so thank you very much for > the good catch! > > The bad news is that PF is still not enforcing the rules within the > anchors. So fail2ban keeps populating the tables where the previously > mentioned rules are in place (reposted below) but these IPs keeps > bombing me with connection attempts passing the firewall with no > problems at all. Killing the states, reloading, restarting (PF and > fail2ban) doesn't fix that. > > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules > block drop quick proto udp from to any port =3D sip > block drop quick proto udp from to any port =3D sip-= tls > > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules > block drop quick proto tcp from to any port =3D sip > block drop quick proto tcp from to any port =3D sip-= tls > I don=E2=80=99t use anchors myself, but don=E2=80=99t you need to call th= em from your main ruleset? Regards, Kristof --=_MailMate_6B9ACF53-941F-40A4-98AC-39630D6B96D5_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJHBAEBCAAxFiEE4RTZ6pCe1GmPVxelfRWRxp768oYFAlxTYecTHGtyaXN0b2ZA c2lnc2Vndi5iZQAKCRB9FZHGnvryhnXBD/9cZEtWPnAsuUVLJrA8Lc7WbK/u8+Oc 5VXYFywYdYA+h56WZYslMfS8xAHUqOGhxVmO+gyM6HHuAqsS2B4BaPaPOGYYsrRR Xpkr/gsffiTDQnZlcZoNp22Zl+C2PzI9Cy++rV2V+gESlSVezYVtdc8yofGx57rV wAVJ2We7HxBB6h+bxYewe9iii1RWUuBxZ+GknonuXd3/NBTVhlf1KUl8TPJfMQ3/ pKWSyR8h0hPiZyzgB+hl3XpQTCOBh656OI/6YN/oZlXHk5zVaCop0nYodPaOhVFr zXfmBFX+r8AeyBSA8PD7vHvxDe540L6wfHoRvlQIapZxA7ucJsiLXkpU+yRqZLXx WpJDyKH9zTMd1/99SEuKS01BgVe4GHPfONM9q0CyWCjpjxi+Xw3jsqi0+ZOmx5FF rik6OHEyY7BwtuVKFSdKy31gl+zAcmvtHuVxVBr4V9j/d9uTFT4dyeI0wbuXIrmH QpZbTNP7VNefK3FXS9ElvlDC/GIGL5w0H9u6Z4HR8INTo1d+Hbz6dPFoqJxKxfey Ifl9cuH9EBdEgy32v6aUE1Mr3AAqNrX6QaDhYeauw+08zjUD0unfs+JRuC8PMnHK XUrHlK1E3ahjGMXnKjXNA2OiY2hL5Xm4XtRUmw6mxaxAEfBR7wBoUpJ1+NTl9ykx TKoD1nvMiWCvBQ== =dnAv -----END PGP SIGNATURE----- --=_MailMate_6B9ACF53-941F-40A4-98AC-39630D6B96D5_=--