Date: Thu, 9 Jun 2005 03:18:05 -0700 From: Matt Rechkemmer <tiberius@trancell.org> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: pf block question Message-ID: <20050609101805.GA11341@sdf.lonestar.org> In-Reply-To: <20050607105030.GA44218@orion.daedalusnetworks.priv> References: <20050607064323.GA29038@sdf.lonestar.org> <20050607105030.GA44218@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 07, 2005 at 01:50:30PM +0300, Giorgos Keramidas wrote: > > We'd have to see the entire ruleset and a tcpdump of traffic that passes > through to know what's wrong. > > - Giorgos Here are the rules as taken from pfctl -sr. I can also provide a copy of pf.conf, if needed. The user's host is in the "badhosts" table. I've changed the first three octets of my IPs, for privacy reasons. The intruder's IP in the tcpdump has also been masked. ***sorry about the word wrap*** scrub in all fragment reassemble block drop on fxp0 from <badhosts> to any block drop all pass out quick on lo0 all pass in quick on lo0 all pass out on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.70 port = ssh keep state pass in quick on fxp0 inet6 proto tcp from <owners> to fe80::211:11ff:fe47:1980 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.161 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.162 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.163 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.164 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.165 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.166 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.167 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.168 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.169 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.170 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.171 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.172 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.173 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.174 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.175 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.176 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.177 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.178 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.179 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.180 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.181 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.182 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.183 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.184 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.185 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.186 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.187 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.188 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.189 port = ssh keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.190 port = ssh keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = smtp keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = domain keep state pass in quick on fxp0 inet proto udp from any to 1.3.3.70 port = domain keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.163 port = http keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = pop3s keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.161 port = 4400 keep state pass in quick on fxp0 inet proto tcp from <owners> to 1.3.3.168 port = afs3-fileserver keep state pass out on fxp0 all keep state tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 03:17:04.793303 IP my.host.com > attacker.host.com: icmp 64: echo request seq 0 03:17:04.823353 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 0 03:17:05.801745 IP my.host.com > attacker.host.com: icmp 64: echo request seq 1 03:17:05.832149 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 1 Thanks, -- Matt Rechkemmer tiberius@trancell.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050609101805.GA11341>