From owner-freebsd-questions@FreeBSD.ORG Thu Sep 20 22:03:25 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6033416A421 for ; Thu, 20 Sep 2007 22:03:25 +0000 (UTC) (envelope-from tgol@kinetix.gr) Received: from mail.kinetix.gr (mail.kinetix.gr [194.219.121.206]) by mx1.freebsd.org (Postfix) with ESMTP id BCCDC13C465 for ; Thu, 20 Sep 2007 22:03:23 +0000 (UTC) (envelope-from tgol@kinetix.gr) Received: from [194.219.121.196] (tech01.kinetix.gr [194.219.121.196]) by kinetix.gr with esmtp; Mon, 17 Sep 2007 16:59:25 +0000 id 0041680C.46EEB26D.0001632C Message-ID: <46EEB13C.4020509@kinetix.gr> Date: Mon, 17 Sep 2007 19:54:20 +0300 From: Goltsios Theodore User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Agus , freebsd-questions@freebsd.org References: <200709152336.27214.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: How to add rule with pfctl... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: support@kinetix.gr List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2007 22:03:25 -0000 Well I think that you mean to add this: ext_if="rl0" # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if="rl0" external_addr="192.168.1.11" block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). Agus wrote: > 2007/9/15, Mel : > >> On Saturday 15 September 2007 23:18:17 Agus wrote: >> >> >>> I am trying to figure out how to add a firewall rule with pfctl... >>> This is what i'm trying to do... >>> >>> I've got SEC that matches certain pattern and takes the IP from that and >>> want to trigger a firewall rule to block that IP.... >>> Then after a couple of hours SEC will trigger the command to un-block >>> >> the >> >>> IP... >>> So what i need is the command to block an IP address from command line, >>> >> not >> >>> touching any pf.conf.... >>> >> If you don't need to add a rule but an IP, then tables are your friend. >> Example for /etc/pf.conf: >> # Placeholder for spammers table, non-routable network IP. >> table persist { 192.168.111.111 } >> # Block this traffic >> block return-rst in log on $ext_if proto tcp from port smtp >> >> Then on the command line: >> /sbin/pfctl -t spammers -Tadd ip.from.new.spammer >> And to delete: >> /sbin/pfctl -t spammers -Tdel ip.from.old.spammer >> >> -- >> Mel >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >> > > > Hi, > I put this on /etc/pf.conf > external_addr="192.168.1.11" which is the address of the only interface. > This machine isn't a router. > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to > $external_addr port ssh > > but when i try to connect from 192.168.0.1 i connect with no problems...this > rule is to block access.. > What am i doing wrong..is my first time with pf... > > Thankss... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >