Date: Tue, 22 Feb 2005 19:52:21 +0300 From: Odhiambo Washington <wash@wananchi.com> To: pf@FreeBSD.org Subject: Re: Stumped with pf.conf Message-ID: <20050222165221.GC35111@ns2.wananchi.com> In-Reply-To: <73064646.20050222174545@hexren.net> References: <20050222124942.GG52536@ns2.wananchi.com> <421B334F.8080008@raxion.net> <20050222135804.GL52536@ns2.wananchi.com> <1242093159.20050222172933@hexren.net> <20050222164000.GA35111@ns2.wananchi.com> <73064646.20050222174545@hexren.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Hexren <me@hexren.net> [20050222 19:46]: wrote:
> OW> * Hexren <me@hexren.net> [20050222 19:30]: wrote:
> >> OW> * Kay Abendroth <kay.abendroth@raxion.net> [20050222 16:28]: wrote:
> >> >> Odhiambo Washington wrote:
> >> >> >I am a newbie to PF, running on FreeBSD 5.3-STABLE.
> >> >> >I would like some critique of the following pf.conf, which I am using,
> >> >> >but which appears to have a loophole! Some folk is accessing my port
> >> >> >8080, which I am thinking I have only opened to 62.8.64.0/19.
> >> >> [...]
> >> >>
> >> >>
> >> >> How do you know some are accessing? The only thing you actually log is
> >> >> the traffic blocked by this rule:
> >> >>
> >> >> block in log quick on $ext_if inet proto tcp from any to any flags S/SAFR
> >>
> >> OW> Hi Kay,
> >>
> >> OW> I have an application running on port 8080 of this box. That
> >> OW> application logs the IPs of machines accessing it, and I can see a
> >> OW> foreign IP accessing that service.
> >>
> >> OW> What I meant to say is that "the filter is NOT working as expected by
> >> OW> blocking access to disallowed hosts".
> >>
> >> OW> If you'd like to test accessing the box on that port, go ahead and
> >> OW> set your proxy settings to 62.8.64.13:8080 and try going to badboys.com
> >>
> >>
> >> ---------------------------------------------
> >>
> >> Looking over it I can't see any obvious mistakes.
> >> Have you enabled pf, (e.g. done "pfctl -e") ?
>
> OW> Yes!
>
> >> And can you provide the output of "pfctl -sr".
>
> OW> Gives no output.
>
> >> A good way to narrow your problem down would be to log all rules that
> >> pass and see which one lets outside connections in.
>
> OW> I am gonna try that!
>
>
> ---------------------------------------------
>
> Then please show "pfctl -sa"
FILTER RULES:
INFO:
Status: Enabled for 0 days 00:08:31 Debug: Urgent
Hostid: 0x13453171
State Table Total Rate
current entries 0
searches 105399 206.3/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 105399 206.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 0
frags hard limit 5000
> "pfctl -sr" should output all active rules. Having no output implies
> that you have no rules, imho. Please describe the procedure you
> used to install your ruleset into pf.
I created the file, /etc/pf.conf, checked it to be sure that at least
I was understanding what I have written, then I did:
pfctl -e
Isn't that the way? ;)
Best regards,
Odhiambo Washington
Systems Admin,
Wananchi Online Ltd.
Are you hosting your domain name with the leaders??:
See http://webhosting.info/webhosts/tophosts/Country/KE
DISCLAIMER : http://ns2.wananchi.com/~wash/Email/disclaimer.txt
----------------------------------+-----------------------------------------
Odhiambo WASHINGTON . WANANCHI ONLINE LTD (Nairobi, KE)
http://www.wananchi.com/email/ . 1ere Etage, Loita Hse, Loita St.,
Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI
----------------------------------+-----------------------------------------
L'Argent ne fait pas le bonheur! - Pepe Kalle (Ya Mpanya)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Seen in a post on a mailing list:
> The message you sent breaks RFC1521. It has this line:
> Content-Type: text/html; charset:ISO-8859-1
> But according to 7.1 of the RFC there should be an '=' sign after charset,
> not ':'.
Yes. We must ask all spammers and virus authors to kindly send their
stuff in rfc compliant way. Cause our systems goes down and they loose
their $$$$ bussiness.
--Petr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050222165221.GC35111>