Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Feb 2015 18:29:29 +0200
From:      "Godfrey Hamshire" <freebsdlist@compudoc.za.net>
To:        "FreeBSD Users" <freebsd-questions@freebsd.org>
Subject:   Help requested with pf.conf firewall script
Message-ID:  <0B6F89C4C603445FA59AEB72931207A0@workstation>
next in thread | raw e-mail | index | archive | help 
Help requested with pf.conf

Hello=20

I would be most greatful if some kind member could assist me.

I am in the process of setting up a mail/web server etc.

I want to be able to block ip's that try brute force attacks and those =
that try and break in using hundreds of usernames and passwords.=20

I found this set of rules as set out below, they are not mine but belong =
to K.Andreev, there is nothing wrong with them, I just want to be able =
to ping and traceroute from the server and cant.=20

I have tried all sorts combinations with the last line, from various =
sites via google and cant get it to ping or any of that stuff. Not being =
too clued up on this aspect I am asking for assistance.

This is what I am getting when I try to ping.

PING dns.cdoc.co.za (41.185.26.52): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

If to save a lot of hassel the reader of this has a working pf.conf that =
allows blocking of ip's that endlessly try to break in or one I can add =
trouble some ip's to a table to that would be really cool.=20

Here is the rule set I am asking for help with=20

Thank you for your time trouble and help it will be appreciated.

Kind regards=20

Godfrey




# pf config - K.Andreev 20140604

ext_if =3D "vr0"

set loginterface $ext_if

set skip on lo

table <bruteforce> persist

table <blocked_subnets> persist file "/etc/blocked_subnets"

tcp_pass =3D "{ 21 22 26 25 53 80 443 587 993 995 10000}"

udp_pass =3D "{ 21 53 }"

block all

block in log quick on $ext_if from <blocked_subnets> to any
block out log quick on $ext_if from any to <blocked_subnets>

block quick from <bruteforce>

pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)

pass log on $ext_if proto tcp to any port $tcp_pass keep state

pass out on $ext_if proto udp to any port $udp_pass keep state

pass inet proto icmp from any to any keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0B6F89C4C603445FA59AEB72931207A0>