Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Sep 2007 14:39:16 -0300
From:      Agus <agus.262@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: How to add rule with pfctl...
Message-ID:  <fda61bb50709181039r6389840gf172cde1f7378252@mail.gmail.com>
In-Reply-To: <fda61bb50709180813n236fcde1w1349d5f5c030d893@mail.gmail.com>
References:  <fda61bb50709151418r61b0e0b4rd889b517b954fae9@mail.gmail.com> <200709152336.27214.fbsd.questions@rachie.is-a-geek.net> <fda61bb50709170945u3a1fba81t8fa8244dbcfc5baf@mail.gmail.com> <46EEB13C.4020509@kinetix.gr> <fda61bb50709171930l7508b458nca9320f3e3ee9cee@mail.gmail.com> <20070918031323.GA46854@idoru.cepheid.org> <fda61bb50709180813n236fcde1w1349d5f5c030d893@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
2007/9/18, Agus <agus.262@gmail.com>:
>
> 2007/9/18, Erik Osterholm <freebsd-lists-erik@erikosterholm.org>:
> >
> > On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote:
> > > Agus wrote:
> > > >
> > > > 2007/9/15, Mel <fbsd.questions@rachie.is-a-geek.net> <fbsd.questions@rachie.is-a-geek.net
> > >:
> > > >
> > > >  On Saturday 15 September 2007 23:18:17 Agus wrote:
> > > >
> > > >      I am trying to figure out how to add a firewall rule with
> > pfctl...
> > > > This is what i'm trying to do...
> > > >
> > > > I've got SEC that matches certain pattern and takes the IP from that
> > and
> > > > want to trigger a firewall rule to block that IP....
> > > > Then after a couple of hours SEC will trigger the command to
> > un-block
> > > >
> > > >  the
> > > >
> > > >  IP...
> > > > So what i need is the command to block an IP address from command
> > line,
> > > >
> > > >  not
> > > >
> > > >  touching any pf.conf....
> > > >
> > > >  If you don't need to add a rule but an IP, then tables are your
> > friend.
> > > > Example for /etc/pf.conf:
> > > > # Placeholder for spammers table, non-routable network IP.
> > > > table <spammers> persist { 192.168.111.111 }
> > > > # Block this traffic
> > > > block return-rst in log on $ext_if proto tcp from <spammers> port
> > smtp
> > > >
> > > > Then on the command line:
> > > > /sbin/pfctl -t spammers -Tadd ip.from.new.spammer
> > > > And to delete:
> > > > /sbin/pfctl -t spammers -Tdel ip.from.old.spammer
> > > >
> > > > --
> > > > Mel
> > > > _______________________________________________
> > > > freebsd-questions@freebsd.org mailing list
> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > > To unsubscribe, send any mail to "
> > freebsd-questions-unsubscribe@freebsd.org"
> > > >
> > > >      Hi,
> > > > I put this on /etc/pf.conf
> > > > external_addr="192.168.1.11" which is the address of the only
> > interface.
> > > > This machine isn't a router.
> > > >
> > > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> > > > $external_addr port ssh
> > > >
> > > > but when i try to connect from 192.168.0.1 i connect with no
> > problems...this
> > > > rule is to block access..
> > > > What am i doing wrong..is my first time with pf...
> > > >
> > > > Thankss...
> > > > _______________________________________________
> > > > freebsd-questions@freebsd.org mailing list
> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > > To unsubscribe, send any mail to "
> > freebsd-questions-unsubscribe@freebsd.org" <freebsd-questions-unsubscribe@freebsd.org
> > >
> > > >
> > > >  2007/9/17, Goltsios Theodore <tgol@kinetix.gr>:
> > > Well I think that you mean to add this:
> > >
> > > ext_if="rl0" # Or whatever your interface is ifconfig helps to find
> > out
> > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> > $ext_if
> > > port ssh
> > >
> > > or even:
> > > ext_if="rl0"
> > > external_addr="192.168.1.11"
> > > block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
> > > $external_addr port ssh
> > >
> > > Think of macros as variables. As long as you don't define them they
> > don't
> > > exist (are empty).
> > >
> > >
> > >
> > > I knowTheodore, i've done it exactly like u put it....first declare
> > macros
> > > and then the rule....
> > > but i couldn't block access to the machine....this rule is supposed to
> > block
> > > all access to port 22 on the machine coming from 192.168.0.1....but I
> > can
> > > access from there...
> > >
> > > i checked pfctl -e
> > > pfctl -sa
> > >
> > > and everything seems to be loaded...
> > >
> > > Thanks...
> >
> > Are you sure that you're trying to block only from a specific host?
> > The source address shouldn't change, even if you're doing nat.  I
> > would assume that you'd want an 'any' keyword there, rather than a
> > specific IP address.
> >
> > Also, you can add hosts to the table automatically based on number of
> > connections over a given period of time:
> >
> > block quick from <blackhole>
> > pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep
> > state (max-src-conn-rate 5/30, overload <blackhole> flush global)
> >
> > The first rule blocks hosts from the blackhole table.  The second adds
> > hosts to the blackhole table and kills their state if they connect
> > more than 5 times in 30 seconds.  This is obviously tunable-- 3/30
> > would be 3 connections in 30 seconds, and 8/60 would be 8 connections
> > in 60 seconds.
> >
> > Erik
> >
>
>
> Thanks Erik, That was very helpfull, specially the con-rate...
>
> First i already tried the table rule...but as i wasnt getting any results
> i figured i tried first only with a simple rule to see if it works and to
> make the question less ambiguous....thats why i posted this rule.... i want
> to block from a specific host, which if i make this rule works will be a
> list of hosts in a table..and instead of blocking them because of their
> conn-rate i will block them by a SEC rule reading from syslog....
>
> and i put that ip to block cause its my router's ip(192.168.0.1) and when
> i try to connect from my PC(192.168.0.2) to my server ( 192.168.1.11) i
> would want it to block me..just for testing....but i can't do it....mi
> router has NAT so thats why i am blocking its IP and not mi PC...
>
> Hopes it understands....
>
> Thanks a lot...
>
>
Guys thanks a lot and sorry...i solved it...it was my mistake....i had
define my interface with a typo...instead of i I had put y....i fixed it and
now it works great...but i'd like to thank all of you guys and tell you that
all the tips you gave me, i will be putting them in practice and are very
usefull....

thanks



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fda61bb50709181039r6389840gf172cde1f7378252>