From owner-freebsd-questions@FreeBSD.ORG Sat Feb 21 17:04:34 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5535E1C; Sat, 21 Feb 2015 17:04:34 +0000 (UTC) Received: from sdf.org (ma.sdf.org [192.94.73.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ma.sdf.org", Issuer "ma.sdf.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9BE2ECDC; Sat, 21 Feb 2015 17:04:34 +0000 (UTC) Received: from ma.sdf.org (IDENT:U2FsdGVkX19zViN5N/AX+XSincfzrwNYski7FRK7ZrE@ma.sdf.org [192.94.73.31]) by sdf.org (8.14.4/8.14.3) with ESMTP id t1LH4KHT020980; Sat, 21 Feb 2015 17:04:20 GMT MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sat, 21 Feb 2015 11:04:20 -0600 From: cpet To: Godfrey Hamshire Subject: Re: Help requested with pf.conf firewall script In-Reply-To: <0B6F89C4C603445FA59AEB72931207A0@workstation> References: <0B6F89C4C603445FA59AEB72931207A0@workstation> Message-ID: <13b50b972e8554f9dd31e139fb1bea26@sdf.org> X-Sender: cpet@sdf.org User-Agent: Roundcube Webmail/1.0.1 Cc: FreeBSD Users , owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2015 17:04:34 -0000 On 2015-02-21 10:29, Godfrey Hamshire wrote: > Help requested with pf.conf > > Hello > > I would be most greatful if some kind member could assist me. > > I am in the process of setting up a mail/web server etc. > > I want to be able to block ip's that try brute force attacks and those > that try and break in using hundreds of usernames and passwords. > > I found this set of rules as set out below, they are not mine but > belong to K.Andreev, there is nothing wrong with them, I just want to > be able to ping and traceroute from the server and cant. > > I have tried all sorts combinations with the last line, from various > sites via google and cant get it to ping or any of that stuff. Not > being too clued up on this aspect I am asking for assistance. > > This is what I am getting when I try to ping. > > PING dns.cdoc.co.za (41.185.26.52): 56 data bytes > ping: sendto: No route to host > ping: sendto: No route to host > > If to save a lot of hassel the reader of this has a working pf.conf > that allows blocking of ip's that endlessly try to break in or one I > can add trouble some ip's to a table to that would be really cool. > > Here is the rule set I am asking for help with > > Thank you for your time trouble and help it will be appreciated. > > Kind regards > > Godfrey > > > > > # pf config - K.Andreev 20140604 > > ext_if = "vr0" > > set loginterface $ext_if > > set skip on lo > > table persist > > table persist file "/etc/blocked_subnets" > > tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}" > > udp_pass = "{ 21 53 }" > > block all > > block in log quick on $ext_if from to any > block out log quick on $ext_if from any to > > block quick from > > pass quick proto { tcp, udp } from any to any port ssh \ > flags S/SA keep state \ > (max-src-conn 15, max-src-conn-rate 5/3, \ > overload flush global) > > pass log on $ext_if proto tcp to any port $tcp_pass keep state > > pass out on $ext_if proto udp to any port $udp_pass keep state > > pass inet proto icmp from any to any keep state > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" you need to add a rule for icmp I do this: icmptypes="{echoreq,unreach}" pass in on $ext_if inet proto icmp all icmp-type $icmptypes so that fixes your ping issue for brutes I do this only for SSH: brutes="{22, 6015}" pass in on $ext_if inet proto tcp from any to any port $brutes flags S/SA keep s tate (max-src-conn 3, max-src-conn-rate 3/10, overload flush global ) Hope this helps you.