Date: Sat, 21 Feb 2015 11:04:20 -0600 From: cpet <cpet@sdf.org> To: Godfrey Hamshire <freebsdlist@compudoc.za.net> Cc: FreeBSD Users <freebsd-questions@freebsd.org>, owner-freebsd-questions@freebsd.org Subject: Re: Help requested with pf.conf firewall script Message-ID: <13b50b972e8554f9dd31e139fb1bea26@sdf.org> In-Reply-To: <0B6F89C4C603445FA59AEB72931207A0@workstation> References: <0B6F89C4C603445FA59AEB72931207A0@workstation>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-02-21 10:29, Godfrey Hamshire wrote:
> Help requested with pf.conf
>
> Hello
>
> I would be most greatful if some kind member could assist me.
>
> I am in the process of setting up a mail/web server etc.
>
> I want to be able to block ip's that try brute force attacks and those
> that try and break in using hundreds of usernames and passwords.
>
> I found this set of rules as set out below, they are not mine but
> belong to K.Andreev, there is nothing wrong with them, I just want to
> be able to ping and traceroute from the server and cant.
>
> I have tried all sorts combinations with the last line, from various
> sites via google and cant get it to ping or any of that stuff. Not
> being too clued up on this aspect I am asking for assistance.
>
> This is what I am getting when I try to ping.
>
> PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
> ping: sendto: No route to host
> ping: sendto: No route to host
>
> If to save a lot of hassel the reader of this has a working pf.conf
> that allows blocking of ip's that endlessly try to break in or one I
> can add trouble some ip's to a table to that would be really cool.
>
> Here is the rule set I am asking for help with
>
> Thank you for your time trouble and help it will be appreciated.
>
> Kind regards
>
> Godfrey
>
>
>
>
> # pf config - K.Andreev 20140604
>
> ext_if = "vr0"
>
> set loginterface $ext_if
>
> set skip on lo
>
> table <bruteforce> persist
>
> table <blocked_subnets> persist file "/etc/blocked_subnets"
>
> tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}"
>
> udp_pass = "{ 21 53 }"
>
> block all
>
> block in log quick on $ext_if from <blocked_subnets> to any
> block out log quick on $ext_if from any to <blocked_subnets>
>
> block quick from <bruteforce>
>
> pass quick proto { tcp, udp } from any to any port ssh \
> flags S/SA keep state \
> (max-src-conn 15, max-src-conn-rate 5/3, \
> overload <bruteforce> flush global)
>
> pass log on $ext_if proto tcp to any port $tcp_pass keep state
>
> pass out on $ext_if proto udp to any port $udp_pass keep state
>
> pass inet proto icmp from any to any keep state
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
you need to add a rule for icmp I do this:
icmptypes="{echoreq,unreach}"
pass in on $ext_if inet proto icmp all icmp-type $icmptypes
so that fixes your ping issue
for brutes I do this only for SSH:
brutes="{22, 6015}"
pass in on $ext_if inet proto tcp from any to any port $brutes flags
S/SA keep s tate (max-src-conn 3, max-src-conn-rate 3/10, overload
<bruteforce> flush global )
Hope this helps you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13b50b972e8554f9dd31e139fb1bea26>