From owner-freebsd-questions@FreeBSD.ORG Sat Feb 21 16:37:10 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1F01388B for ; Sat, 21 Feb 2015 16:37:10 +0000 (UTC) Received: from wnls-smtp7.wa.co.za (wnls-smtp7.wa.co.za [41.185.62.212]) by mx1.freebsd.org (Postfix) with ESMTP id 7C1CCA08 for ; Sat, 21 Feb 2015 16:37:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by wnls-smtp7.wa.co.za (Postfix) with ESMTP id 0F1827F5FC for ; Sat, 21 Feb 2015 18:28:40 +0200 (SAST) X-Quarantine-ID: X-Virus-Scanned: Debian amavisd-new at wnls-smtp1.wa.co.za X-Spam-Flag: NO X-Spam-Score: -0.893 X-Spam-Level: X-Spam-Status: No, score=-0.893 tagged_above=-999 required=6 tests=[ALL_TRUSTED=-1.8, BAYES_50=0.8, HTML_MESSAGE=0.107] autolearn=disabled Received: from wnls-smtp7.wa.co.za ([127.0.0.1]) by localhost (wnls-smtp7.wa.co.za [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PAaD9hGiIny3 for ; Sat, 21 Feb 2015 18:28:38 +0200 (SAST) Received: from workstation (admin.cnet.co.za [41.185.32.164]) by wnls-smtp7.wa.co.za (Postfix) with SMTP id 562AD7F5F8 for ; Sat, 21 Feb 2015 18:28:38 +0200 (SAST) Message-ID: <0B6F89C4C603445FA59AEB72931207A0@workstation> Reply-To: "Godfrey Hamshire" From: "Godfrey Hamshire" To: "FreeBSD Users" Subject: Help requested with pf.conf firewall script Date: Sat, 21 Feb 2015 18:29:29 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2015 16:37:10 -0000 Help requested with pf.conf Hello=20 I would be most greatful if some kind member could assist me. I am in the process of setting up a mail/web server etc. I want to be able to block ip's that try brute force attacks and those = that try and break in using hundreds of usernames and passwords.=20 I found this set of rules as set out below, they are not mine but belong = to K.Andreev, there is nothing wrong with them, I just want to be able = to ping and traceroute from the server and cant.=20 I have tried all sorts combinations with the last line, from various = sites via google and cant get it to ping or any of that stuff. Not being = too clued up on this aspect I am asking for assistance. This is what I am getting when I try to ping. PING dns.cdoc.co.za (41.185.26.52): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host If to save a lot of hassel the reader of this has a working pf.conf that = allows blocking of ip's that endlessly try to break in or one I can add = trouble some ip's to a table to that would be really cool.=20 Here is the rule set I am asking for help with=20 Thank you for your time trouble and help it will be appreciated. Kind regards=20 Godfrey # pf config - K.Andreev 20140604 ext_if =3D "vr0" set loginterface $ext_if set skip on lo table persist table persist file "/etc/blocked_subnets" tcp_pass =3D "{ 21 22 26 25 53 80 443 587 993 995 10000}" udp_pass =3D "{ 21 53 }" block all block in log quick on $ext_if from to any block out log quick on $ext_if from any to block quick from pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) pass log on $ext_if proto tcp to any port $tcp_pass keep state pass out on $ext_if proto udp to any port $udp_pass keep state pass inet proto icmp from any to any keep state