From owner-freebsd-questions@FreeBSD.ORG Sat Feb 21 17:38:54 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DE6A662F for ; Sat, 21 Feb 2015 17:38:54 +0000 (UTC) Received: from wnls-smtp7.wa.co.za (wnls-smtp7.wa.co.za [41.185.62.212]) by mx1.freebsd.org (Postfix) with ESMTP id 49954F83 for ; Sat, 21 Feb 2015 17:38:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by wnls-smtp7.wa.co.za (Postfix) with ESMTP id D4C397F608; Sat, 21 Feb 2015 19:37:53 +0200 (SAST) X-Quarantine-ID: <3NNabFf8ieTe> X-Virus-Scanned: Debian amavisd-new at wnls-smtp1.wa.co.za X-Spam-Flag: NO X-Spam-Score: -1 X-Spam-Level: X-Spam-Status: No, score=-1 tagged_above=-999 required=6 tests=[ALL_TRUSTED=-1.8, BAYES_50=0.8] autolearn=disabled Received: from wnls-smtp7.wa.co.za ([127.0.0.1]) by localhost (wnls-smtp7.wa.co.za [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3NNabFf8ieTe; Sat, 21 Feb 2015 19:37:52 +0200 (SAST) Received: from workstation (admin.cnet.co.za [41.185.32.164]) by wnls-smtp7.wa.co.za (Postfix) with SMTP id A443B7F5D4; Sat, 21 Feb 2015 19:37:52 +0200 (SAST) Message-ID: <4BEB8E7696364873B9303FB8B728810A@workstation> Reply-To: "Godfrey Hamshire" From: "Godfrey Hamshire" To: "cpet" References: <0B6F89C4C603445FA59AEB72931207A0@workstation> <13b50b972e8554f9dd31e139fb1bea26@sdf.org> Subject: Re: Help requested with pf.conf firewall script Date: Sat, 21 Feb 2015 19:38:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: FreeBSD Users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2015 17:38:55 -0000 Hello Thank you for your assistance. Your suggestion works very well for ping, how ever for trace route I get this traceroute to dns.cdoc.co.za (41.185.26.52), 64 hops max, 40 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote dns.cdoc.co.za 40 chars, ret=-1 ^C root@32.165 ~ # ping dns.cdoc.co.za PING dns.cdoc.co.za (41.185.26.52): 56 data bytes 64 bytes from 41.185.26.52: icmp_seq=0 ttl=61 time=46.018 ms 64 bytes from 41.185.26.52: icmp_seq=1 ttl=61 time=46.607 ms ^C I have pasted at the bottom of this message the revised rule set incase I missed the plot some where. Thank you so much for your help. Regards Godfrey # pf config - K.Andreev 20140604 ext_if = "vr0" icmptypes="{echoreq,unreach}" set loginterface $ext_if set skip on lo table persist table persist file "/etc/blocked_subnets" tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}" udp_pass = "{ 21 53 }" block all block in log quick on $ext_if from to any block out log quick on $ext_if from any to block quick from pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) pass log on $ext_if proto tcp to any port $tcp_pass keep state pass out on $ext_if proto udp to any port $udp_pass keep state pass in on $ext_if inet proto icmp all icmp-type $icmptypes pass inet proto icmp from any to any keep state ----- Original Message ----- From: "cpet" To: "Godfrey Hamshire" Cc: "FreeBSD Users" ; Sent: Saturday, February 21, 2015 7:04 PM Subject: Re: Help requested with pf.conf firewall script > On 2015-02-21 10:29, Godfrey Hamshire wrote: >> Help requested with pf.conf >> >> Hello >> >> I would be most greatful if some kind member could assist me. >> >> I am in the process of setting up a mail/web server etc. >> >> I want to be able to block ip's that try brute force attacks and those >> that try and break in using hundreds of usernames and passwords. >> >> I found this set of rules as set out below, they are not mine but >> belong to K.Andreev, there is nothing wrong with them, I just want to >> be able to ping and traceroute from the server and cant. >> >> I have tried all sorts combinations with the last line, from various >> sites via google and cant get it to ping or any of that stuff. Not >> being too clued up on this aspect I am asking for assistance. >> >> This is what I am getting when I try to ping. >> >> PING dns.cdoc.co.za (41.185.26.52): 56 data bytes >> ping: sendto: No route to host >> ping: sendto: No route to host >> >> If to save a lot of hassel the reader of this has a working pf.conf >> that allows blocking of ip's that endlessly try to break in or one I >> can add trouble some ip's to a table to that would be really cool. >> >> Here is the rule set I am asking for help with >> >> Thank you for your time trouble and help it will be appreciated. >> >> Kind regards >> >> Godfrey >> >> >> >> >> # pf config - K.Andreev 20140604 >> >> ext_if = "vr0" >> >> set loginterface $ext_if >> >> set skip on lo >> >> table persist >> >> table persist file "/etc/blocked_subnets" >> >> tcp_pass = "{ 21 22 26 25 53 80 443 587 993 995 10000}" >> >> udp_pass = "{ 21 53 }" >> >> block all >> >> block in log quick on $ext_if from to any >> block out log quick on $ext_if from any to >> >> block quick from >> >> pass quick proto { tcp, udp } from any to any port ssh \ >> flags S/SA keep state \ >> (max-src-conn 15, max-src-conn-rate 5/3, \ >> overload flush global) >> >> pass log on $ext_if proto tcp to any port $tcp_pass keep state >> >> pass out on $ext_if proto udp to any port $udp_pass keep state >> >> pass inet proto icmp from any to any keep state >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > you need to add a rule for icmp I do this: > > icmptypes="{echoreq,unreach}" > pass in on $ext_if inet proto icmp all icmp-type $icmptypes > > so that fixes your ping issue > > for brutes I do this only for SSH: > brutes="{22, 6015}" > pass in on $ext_if inet proto tcp from any to any port $brutes flags S/SA > keep s tate (max-src-conn 3, max-src-conn-rate 3/10, overload > flush global ) > > Hope this helps you. >