Date: Wed, 21 Jan 2009 05:08:41 -0800 (PST) From: fbsdmail@dnswatch.com To: "Miroslav Lachman" <000.fbsd@quip.cz> Cc: freebsd-pf@freebsd.org Subject: Re: basic rule request - allow_all/block_bad Message-ID: <2bac2a6d6830391e797190f7a398e7e6.dnswclient@webmail.dnswatch.com> In-Reply-To: <497382D3.8040408@quip.cz> References: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> <497382D3.8040408@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings Miroslav, and thank you for your reply... On Sun, January 18, 2009 11:28 am, Miroslav Lachman wrote: > infos@dnswatch.com wrote: > >> Greetings, >> I know very little about creating an initial pf.conf. >> I know /very/ /much/ that I want/need PF, and will need a fair amount >> of time to "tune" pf to work optimally for each server. BUT, in an effort >> to get started, I'm hoping that some kind soul will provide me with a >> very basic pf.conf that will not interrupt the current >> application/server block policies I already have in place - which is to >> say; I currently block at the application/server, but hope to merge >> (transfer) them to PF. So. can anyone share a pf.conf that will >> allow all, but block ALL_EVIL_IP requests on ALL ports? In other words, >> if I only wanted to block (drop) ALL traffic coming from a /single/ IP >> address. How would I do it? I have one (active) NIC in each of my >> servers, and there are anywhere from 3 to 12 IP's aliased to them above >> and beyond the IP assigned to the host itself. All addresses are fully >> qualified, internet route-able addresses (no internal/private IP's). >> > > If you really need to block one IP, you can use following simple ruleset: > > > block in quick from 10.20.30.40 to any pass all > > If you need to block more than one address, or you need easy > manipulation with list of addresses, you can use tables in ruleset: > > table <badguys> persist file "/etc/pf.badguys.table" block in quick from > <badguys> to any > pass all > > > You can put IPs in to persistent file /etc/pf.badguys.table, these IPs > will be loaded in the boot time. You can add / remove address on the fly by > pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T > delete 10.11.12.13 Thank you. That's perfect! I seem to be stumped on one last issue; All the information, and pf.conf files all provide for 2 interfaces - INT_IF, and EXT_IF. Assuming a single NIC (ethernet adapter), and only Internet routable IP addresses, and a l0 (loopback). How would I define/use the 2 IF's? Dummynet, maybe? Thank you again for your thoughtful reply. --Chris > > Miroslav Lachman > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2bac2a6d6830391e797190f7a398e7e6.dnswclient>