From owner-freebsd-questions@FreeBSD.ORG Tue Sep 18 17:39:18 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02B5616A419 for ; Tue, 18 Sep 2007 17:39:18 +0000 (UTC) (envelope-from agus.262@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id A6D5D13C468 for ; Tue, 18 Sep 2007 17:39:17 +0000 (UTC) (envelope-from agus.262@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so3950212pyb for ; Tue, 18 Sep 2007 10:39:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=ZAB3Di22FueAb+lH6PybtXkNkrZkfdD8ZLySZr+cbf0=; b=HV1BxlOY9ACaL9nTwIfCxpYDElAxhs/42WZRXaq5vIkWRATdyBRnyLtauSVx2sjHwgZlLYCJEcMW9Hhp1ly8oLLWppUUGhcfk5rrZ3Mqj23gHYbkFsQijjpRsUNYNhJOxoE+ZLRca2aH/ffdwpfCrMNlv3BjUF7FpEP+vq2JEMo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=jjHvLpKDzbUn1J6R5RQnPpZDtekCo20Gja8mmuowJ+xDz9JD7mIc4Dv8rPR58WkdlkR6nL59q3JYkjvfo+hG4DDDVpY74WyMn0KRGyGEokHWCcZNobZf5ySgSrAmpIL0jvO+RMFRlRAi7LKUwSGFxkpezfWsTnGtuoHX2805EKA= Received: by 10.35.47.10 with SMTP id z10mr8024550pyj.1190137156602; Tue, 18 Sep 2007 10:39:16 -0700 (PDT) Received: by 10.35.83.16 with HTTP; Tue, 18 Sep 2007 10:39:16 -0700 (PDT) Message-ID: Date: Tue, 18 Sep 2007 14:39:16 -0300 From: Agus To: freebsd-questions@freebsd.org In-Reply-To: MIME-Version: 1.0 References: <200709152336.27214.fbsd.questions@rachie.is-a-geek.net> <46EEB13C.4020509@kinetix.gr> <20070918031323.GA46854@idoru.cepheid.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: How to add rule with pfctl... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2007 17:39:18 -0000 2007/9/18, Agus : > > 2007/9/18, Erik Osterholm : > > > > On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote: > > > Agus wrote: > > > > > > > > 2007/9/15, Mel > >: > > > > > > > > On Saturday 15 September 2007 23:18:17 Agus wrote: > > > > > > > > I am trying to figure out how to add a firewall rule with > > pfctl... > > > > This is what i'm trying to do... > > > > > > > > I've got SEC that matches certain pattern and takes the IP from that > > and > > > > want to trigger a firewall rule to block that IP.... > > > > Then after a couple of hours SEC will trigger the command to > > un-block > > > > > > > > the > > > > > > > > IP... > > > > So what i need is the command to block an IP address from command > > line, > > > > > > > > not > > > > > > > > touching any pf.conf.... > > > > > > > > If you don't need to add a rule but an IP, then tables are your > > friend. > > > > Example for /etc/pf.conf: > > > > # Placeholder for spammers table, non-routable network IP. > > > > table persist { 192.168.111.111 } > > > > # Block this traffic > > > > block return-rst in log on $ext_if proto tcp from port > > smtp > > > > > > > > Then on the command line: > > > > /sbin/pfctl -t spammers -Tadd ip.from.new.spammer > > > > And to delete: > > > > /sbin/pfctl -t spammers -Tdel ip.from.old.spammer > > > > > > > > -- > > > > Mel > > > > _______________________________________________ > > > > freebsd-questions@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > Hi, > > > > I put this on /etc/pf.conf > > > > external_addr="192.168.1.11" which is the address of the only > > interface. > > > > This machine isn't a router. > > > > > > > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > > > > $external_addr port ssh > > > > > > > > but when i try to connect from 192.168.0.1 i connect with no > > problems...this > > > > rule is to block access.. > > > > What am i doing wrong..is my first time with pf... > > > > > > > > Thankss... > > > > _______________________________________________ > > > > freebsd-questions@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > > 2007/9/17, Goltsios Theodore : > > > Well I think that you mean to add this: > > > > > > ext_if="rl0" # Or whatever your interface is ifconfig helps to find > > out > > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > > $ext_if > > > port ssh > > > > > > or even: > > > ext_if="rl0" > > > external_addr="192.168.1.11" > > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > > > $external_addr port ssh > > > > > > Think of macros as variables. As long as you don't define them they > > don't > > > exist (are empty). > > > > > > > > > > > > I knowTheodore, i've done it exactly like u put it....first declare > > macros > > > and then the rule.... > > > but i couldn't block access to the machine....this rule is supposed to > > block > > > all access to port 22 on the machine coming from 192.168.0.1....but I > > can > > > access from there... > > > > > > i checked pfctl -e > > > pfctl -sa > > > > > > and everything seems to be loaded... > > > > > > Thanks... > > > > Are you sure that you're trying to block only from a specific host? > > The source address shouldn't change, even if you're doing nat. I > > would assume that you'd want an 'any' keyword there, rather than a > > specific IP address. > > > > Also, you can add hosts to the table automatically based on number of > > connections over a given period of time: > > > > block quick from > > pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep > > state (max-src-conn-rate 5/30, overload flush global) > > > > The first rule blocks hosts from the blackhole table. The second adds > > hosts to the blackhole table and kills their state if they connect > > more than 5 times in 30 seconds. This is obviously tunable-- 3/30 > > would be 3 connections in 30 seconds, and 8/60 would be 8 connections > > in 60 seconds. > > > > Erik > > > > > Thanks Erik, That was very helpfull, specially the con-rate... > > First i already tried the table rule...but as i wasnt getting any results > i figured i tried first only with a simple rule to see if it works and to > make the question less ambiguous....thats why i posted this rule.... i want > to block from a specific host, which if i make this rule works will be a > list of hosts in a table..and instead of blocking them because of their > conn-rate i will block them by a SEC rule reading from syslog.... > > and i put that ip to block cause its my router's ip(192.168.0.1) and when > i try to connect from my PC(192.168.0.2) to my server ( 192.168.1.11) i > would want it to block me..just for testing....but i can't do it....mi > router has NAT so thats why i am blocking its IP and not mi PC... > > Hopes it understands.... > > Thanks a lot... > > Guys thanks a lot and sorry...i solved it...it was my mistake....i had define my interface with a typo...instead of i I had put y....i fixed it and now it works great...but i'd like to thank all of you guys and tell you that all the tips you gave me, i will be putting them in practice and are very usefull.... thanks