From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 01:28:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B716D106568B for ; Sun, 23 Aug 2009 01:28:12 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-ew0-f211.google.com (mail-ew0-f211.google.com [209.85.219.211]) by mx1.freebsd.org (Postfix) with ESMTP id 496298FC08 for ; Sun, 23 Aug 2009 01:28:11 +0000 (UTC) Received: by ewy7 with SMTP id 7so1552475ewy.7 for ; Sat, 22 Aug 2009 18:28:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=ihkKHR7X1rkYgAx5TwLcR4eIaYvCBvg1UxshXoVzxUU=; b=ESqdbbSSWDPTPM6A8ZEsZ2S5zh4VsxDtMcFuNB7GTtmgN1HB7Wc4mm5eSkW9Angvce QBeXCbrmaTj8JNWtfpRGt9hP/agRcx1qeaeHezBAgjTLiksBA+1HYvlc4sW0UwqDEE78 WZ41/7s79K3mlbmn7oV5VDyxgcYyEUeZ25Mkc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=kw/oI7mTO2LyCJvJ1tgga6zeDydbyv1xAQxgcS99yfRb4OtYfIB6k4d2Q1Ri2dkVt1 6joX1WxiULPzCa0HzxWKBmYxCVbS9H2TWFSqt3xkdR66pwYViJ4YfZOLr6boLSlsZ3iv 2j3XLpvPMk8xRMKdNhZy5odSPFKXHUzXrECsg= MIME-Version: 1.0 Received: by 10.210.88.18 with SMTP id l18mr3127410ebb.19.1250989663209; Sat, 22 Aug 2009 18:07:43 -0700 (PDT) In-Reply-To: <200908230132343.SM01728@W500.Go2France.com> References: <200908230132343.SM01728@W500.Go2France.com> From: Igor Mozolevsky Date: Sun, 23 Aug 2009 02:07:23 +0100 Message-ID: To: Len Conrad Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 01:28:12 -0000 2009/8/23 Len Conrad : > > I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. [snip] > Anybody know of anything similar for pf? http://www.bgnett.no/~peter/pf/en/spamd.setup.html Cheers, -- Igor From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 01:41:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9386B1065702 for ; Sun, 23 Aug 2009 01:41:42 +0000 (UTC) (envelope-from LConrad@Go2France.com) Received: from mgw1.MEIway.com (mgw1.meiway.com [81.255.84.75]) by mx1.freebsd.org (Postfix) with ESMTP id 58BB78FC16 for ; Sun, 23 Aug 2009 01:41:42 +0000 (UTC) Received: from VirusGate.MEIway.com (virusgate.meiway.com [81.255.84.76]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id AA28A4718DC for ; Sun, 23 Aug 2009 03:41:41 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [81.255.84.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 9DB383865B4 for ; Sun, 23 Aug 2009 03:41:41 +0200 (CEST) (envelope-from LConrad@Go2France.com) Received: from W500.Go2France.com [66.90.254.224] by mail.Go2France.com with ESMTP (SMTPD32-7.07) id AE25DBA80130; Sun, 23 Aug 2009 03:40:53 +0200 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 22 Aug 2009 20:41:38 -0500 To: freebsd-pf@freebsd.org From: Len Conrad In-Reply-To: References: <200908230132343.SM01728@W500.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <200908230340125.SM01728@W500.Go2France.com> Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 01:41:42 -0000 >> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > >[snip] > >> Anybody know of anything similar for pf? > > >http://www.bgnett.no/~peter/pf/en/spamd.setup.html thanks, but I've never liked tarpitting, no matter how inexpensive it is, and I already have greylisting. I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. Len From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 02:57:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43374106568B for ; Sun, 23 Aug 2009 02:57:34 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id C759B8FC08 for ; Sun, 23 Aug 2009 02:57:33 +0000 (UTC) Received: by ewy5 with SMTP id 5so23494ewy.36 for ; Sat, 22 Aug 2009 19:57:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=A15hSThWIoZjRM8l1GYSL9p1jdejMA++aWH3vFe7l4Q=; b=t59mmqrWkshfyV5VfC/xQtxNy1XxHsvPqyXJP/dcogpAcZfYtYB3qrDKKWOM1Ece8M 2RSSL+GLi7uAxcBh5JZZdPjdU5RRqBnpHGnxf6yjb7/B0+4OJxKJUxe4aOm7DFSAZfkw KZz9ZvDE3AVDZr1NV940QF8iqrQO5WoxXHv4s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=Br3G4nN/3W2aKynkVCyEf/qLsDqM73eBsOf7HBfX+I/3JWD6BpNy9gfzoyRuveazjv 1dThCjwworpUkQA16QNdhMFynbWlYETl7Hm+qb+EXtg3h++GkEQs6yduuYl3lTfYYPX9 APORLqup2bytdVJeZMB9RQxc3nGJXLlwfpt+U= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.210.131.5 with SMTP id e5mr2736567ebd.45.1250996252879; Sat, 22 Aug 2009 19:57:32 -0700 (PDT) In-Reply-To: <200908230340125.SM01728@W500.Go2France.com> References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> Date: Sun, 23 Aug 2009 03:57:32 +0100 X-Google-Sender-Auth: db853cfedc9bb744 Message-ID: <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> From: Peter Maxwell To: Len Conrad , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 02:57:34 -0000 2009/8/23 Len Conrad : > > I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. > Are you sure you really need this in the first place? Others may disagree, but the way I see it is pf is a packet filter, your MTA should be dealing with SMTP "attacks". Nonetheless, it's probably fairly trivial to do something like you are requesting. Create your pf ruleset with table(s) and corresponding drop rules. You can then create a simple cron script that parses the logs from your sshd, ftpd, etc and uses pfctl to replace the appropriate table with offending IPs or address ranges. You would probably have to manage timeouts in your scripts as well though. Please note that - in most situations at least - allowing applications in userland to modify firewall rules is a particularly bad idea, for obvious reasons. Good firewall practice would suggest that the box doing packet filtering does that and only that, with all external services placed in a DMZ; if an attacker then comprimises one of your services then they cannot mess about with the firewall rules, or much else for that matter. Before implementing something like this, I would urge caution: if what you're asking was actually of any use, someone else would probably have done it properly. I can't imagine how log entries from an ftp server, say, are going to be related to your smtp server security? If it's a simple connection management, then max-src-conn/max-src-conn-rate might be a more robust solution. Peter From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 09:05:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 678BA106568E for ; Sun, 23 Aug 2009 09:05:27 +0000 (UTC) (envelope-from arlytex@gmail.com) Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171]) by mx1.freebsd.org (Postfix) with ESMTP id 40BFF8FC0C for ; Sun, 23 Aug 2009 09:05:27 +0000 (UTC) Received: by pzk1 with SMTP id 1so487326pzk.3 for ; Sun, 23 Aug 2009 02:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=ochRur+2hTYF2iNoOqRvA/ePDMpktDx0k5Mc8YcmW5A=; b=YJk7j+lSKLoLEhDHZ/RIeOLokvMoBWLXPWoQerKbXkt1kxK+imjpy+czWE4agAP12u MQHnQWfdBE6F0qGnk+jPE1AZWW+WF3FrzR5TdZIbbwzGUAikghv88KQiwT3l3zGQsD2g tATfGrw4NcPBWNQr+WjrPuXxcb4UZLkEJ3i8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=sVXhxcgB88YMqXAgdxR9v6HbcreznWiDNxvH0zCmK05w3riXrIlpWQJFT6CUcN9EjF hgqf87JBwiThtamfyO0ZP8iO6FkROEIR3vj6OuQFIMO8pMVwzXd9f968C5Y0nx9om6iF GkQSNyoUH5QZKTUX71QXZw2Qa4wMRfz5xk2Lw= MIME-Version: 1.0 Received: by 10.142.210.17 with SMTP id i17mr227996wfg.29.1251016624458; Sun, 23 Aug 2009 01:37:04 -0700 (PDT) Date: Sun, 23 Aug 2009 10:37:04 +0200 Message-ID: <4e96b49a0908230137m6cfe420v2921593e99e8b706@mail.gmail.com> From: Arlen Drina To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: CARP failover strange behaviour-two master states on master and backup server X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 09:05:27 -0000 Hi list, I am using PF + CARP on OpenBSD 4.5 for my redundant firewall, but I have some strange situations, I cannot understand very well. So please review and give me your opinion, firewalls perform redundancy as expected and works but some stuff are not clear 1 ) master configuration for carp interfaces is eternal inet abc.abc.abc.abc 255.255.255.224 abc.abc.abc.abc.abc vhid 1 pass b5f06766c75cfsfsdfa6f87741430832 carpdev fxp0 advbase 10 advskew 0 state master internal inet 192.168.1.100 255.255.255.0 192.168.1.255 vhid 2 pass 5e0125fb892ef94542eddcc6ab78a1ae carpdev rl0 advbase 10 advskew 0 state master 2) on backup eternal inet abc.abc.abc.abc 255.255.255.224 abc.abc.abc.abc.abc vhid 1 pass b5f06766c75cfsfsdfa6f87741430832 carpdev fxp0 advbase 10 advskew 100 state master internal inet 192.168.1.100 255.255.255.0 192.168.1.255 vhid 2 pass 5e0125fb892ef94542eddcc6ab78a1ae carpdev rl0 advbase 10 advskew 100 state master as you can see I have different values for advbase/advskew, if master server is boot first and backup second, all ok, master become master and backup is backup server, but in case backup is booted first it becomes master, and after real master is boot up it becomes backup. I wondering how is this possible as I set up lower values for advskew /advbase on master to push it ( in case it is alive in normal environment ) to be always master. And master stays in backup state whole time. When there is normal process, master boots first and then slave, on both servers I have ifconfig -g carp carp: carp demote count 0 again should not these values be different on master and backup ? If I reboote master, while backup is on, after master reboot on it I have ifconfig -g carp carp: carp demote count 1 and it is marked as BACKUP. Also I noticed that master server after reboot is for a very short time marked as MASTER and very fast it switch again to BACKUP state. I played with carpdemote parameters on master/backup and in case BACKUP server : ifconfig -g carp carp: carp demote count 0 MASTER server : ifconfig -g carp carp: carp demote count 1 I do on BACKUP server ifconfig -g carp carpdemote 20 then is on BACKUP server ifconfig -g carp carp: carp demote count 20 and all traffice is switched from backup to master ( tcpdump -i $ext_if that shows ) what is what I expect and that works normal, but after increasing carpdemote on backup, internal carp interface change state to backup , but external carp interface on backup server remains MASTER, so in this situation I have two masters ....on backup and on master server. All works as expected, failover works correctly and ony above stuff is very confusing for me. Also I noticed that external carp device on both servers ( master and backup ) belongs to egress interface group too, carp interface is at same time default route interface and I understand it, I tried to raise carpdemote value for egress group to be same as for carp group but that did not helped, I still have two masters on external interfaces on master/backup. Sorry for long mail, if someone knows what could be cause for this behaviour is more than welcome to write it. Thank you in advance, Kind regards, Arlen From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 14:37:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75091106568B for ; Sun, 23 Aug 2009 14:37:02 +0000 (UTC) (envelope-from ronw@bals.org) Received: from bal.bals.org (bal.bals.org [65.122.161.147]) by mx1.freebsd.org (Postfix) with ESMTP id 32A518FC16 for ; Sun, 23 Aug 2009 14:37:01 +0000 (UTC) Received: from [192.168.0.152] (c-69-244-210-69.hsd1.fl.comcast.net [69.244.210.69]) (authenticated bits=0) by bal.bals.org (8.14.3/8.14.3) with ESMTP id n7NEIt0L017646 for ; Sun, 23 Aug 2009 10:18:58 -0400 (EDT) (envelope-from ronw@bals.org) Message-ID: <4A914FD1.7070500@bals.org> Date: Sun, 23 Aug 2009 10:18:57 -0400 From: Ron Wilhoite Organization: Bay Area Legal Services, Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> In-Reply-To: <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (bal.bals.org [192.168.0.2]); Sun, 23 Aug 2009 10:18:58 -0400 (EDT) X-Scanned-By: MIMEDefang 2.64 on 192.168.0.2 Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ronw@bals.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 14:37:02 -0000 On 08/22/2009 10:57 PM Peter Maxwell wrote: > 2009/8/23 Len Conrad : >> I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. >> ... > Before implementing something like this, I would urge caution: if what > you're asking was actually of any use, someone else would probably > have done it properly. I can't imagine how log entries from an ftp > server, say, are going to be related to your smtp server security? If > it's a simple connection management, then > max-src-conn/max-src-conn-rate might be a more robust solution. > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable. # pkg_info -x expiretable Information for expiretable-0.6: Comment: Utility to remove entries from the pf(4) table based on their age Description: Expiretable is a utility used to remove entries from the pf(4) table based on their age. The age in question being the amount of time that has passed since the statistics for each entry in the target table was last cleared. WWW: http://expiretable.fnord.se/ Ron From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 15:49:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED959106568B for ; Sun, 23 Aug 2009 15:49:28 +0000 (UTC) (envelope-from LConrad@Go2France.com) Received: from mgw1.MEIway.com (mgw1.meiway.com [81.255.84.75]) by mx1.freebsd.org (Postfix) with ESMTP id AF8F88FC12 for ; Sun, 23 Aug 2009 15:49:28 +0000 (UTC) Received: from VirusGate.MEIway.com (virusgate.meiway.com [81.255.84.76]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 13181471825 for ; Sun, 23 Aug 2009 17:49:30 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [81.255.84.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 65C843865B4 for ; Sun, 23 Aug 2009 17:49:30 +0200 (CEST) (envelope-from LConrad@Go2France.com) Received: from W500.Go2France.com [66.90.254.224] by mail.Go2France.com with ESMTP (SMTPD32-7.07) id A4D6ECA40130; Sun, 23 Aug 2009 17:48:38 +0200 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 23 Aug 2009 10:49:24 -0500 To: freebsd-pf@freebsd.org From: Len Conrad In-Reply-To: <4A914FD1.7070500@bals.org> References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> <4A914FD1.7070500@bals.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <200908231748187.SM01728@W500.Go2France.com> Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 15:49:29 -0000 >n 08/22/2009 10:57 PM Peter Maxwell wrote: >>2009/8/23 Len Conrad : >>>I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. >... >>Before implementing something like this, I would urge caution: if what >>you're asking was actually of any use, someone else would probably >>have done it properly. I can't imagine how log entries from an ftp >>server, say, are going to be related to your smtp server security? If >>it's a simple connection management, then >>max-src-conn/max-src-conn-rate might be a more robust solution. > >http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable. > ># pkg_info -x expiretable >Information for expiretable-0.6: > >Comment: >Utility to remove entries from the pf(4) table based on their age > >Description: >Expiretable is a utility used to remove entries from the pf(4) table >based on their age. > >The age in question being the amount of time that has passed since >the statistics for each entry in the target table was last cleared. > >WWW: http://expiretable.fnord.se/ I have no problem putting IPs into pf, it's expiring them that was blocking me, but expiretable fixes that. I don't use pf for protecting these "sacrificial" machines generally, only for reactive blocking. thanks Len From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 15:52:15 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BF3A106568E for ; Sun, 23 Aug 2009 15:52:15 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [91.201.171.158]) by mx1.freebsd.org (Postfix) with ESMTP id E09688FC13 for ; Sun, 23 Aug 2009 15:52:14 +0000 (UTC) Received: from alf.aws-net.org.ua (alf.aws-net.org.ua [85.90.196.192]) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id n7NFLUpw043589 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 23 Aug 2009 18:21:32 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Received: from [192.168.32.2] (rainbow.aws-net.org.ua [192.168.32.2]) by alf.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id n7NFLMA2038975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 23 Aug 2009 18:21:28 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4A915E6C.2060000@aws-net.org.ua> Date: Sun, 23 Aug 2009 18:21:16 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Len Conrad References: <200908230132343.SM01728@W500.Go2France.com> In-Reply-To: <200908230132343.SM01728@W500.Go2France.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.2 at alf.aws-net.org.ua X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 15:52:15 -0000 Len Conrad wrote: > I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > But bruteblock, which hasn't moved in 3 years, logged a lot of errors like "failed to ..." which didn't seem to bother its effectiveness, but was concerning, and ugly. > > Anybody know of anything similar for pf? > ports/security/sshguard-pf -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | http://www.viklenko.net/~artem FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 19:28:15 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C22E106568E for ; Sun, 23 Aug 2009 19:28:15 +0000 (UTC) (envelope-from nikky@mnet.bg) Received: from home.mnet.bg (home.mnet.bg [84.43.191.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1CEDF8FC12 for ; Sun, 23 Aug 2009 19:28:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by home.mnet.bg (Postfix) with ESMTP id EDE9511DD84; Sun, 23 Aug 2009 22:17:01 +0300 (EEST) X-Virus-Scanned: Debian amavisd-new at mnet.bg Received: from home.mnet.bg ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 50N5pnJxX22e; Sun, 23 Aug 2009 22:16:59 +0300 (EEST) X-Greylist: Passed host: 84.43.152.216 X-Greylist: Passed host: 84.43.152.216 X-Greylist: Passed host: 84.43.152.216 Received: from minus273 (minus273.mnet.bg [84.43.152.216]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nikky) by home.mnet.bg (Postfix) with ESMTPSA id 14EE311DD78; Sun, 23 Aug 2009 22:16:59 +0300 (EEST) Date: Sun, 23 Aug 2009 22:16:58 +0300 From: Nickola Kolev To: Artyom Viklenko Message-Id: <20090823221658.06da495e.nikky@mnet.bg> In-Reply-To: <4A915E6C.2060000@aws-net.org.ua> References: <200908230132343.SM01728@W500.Go2France.com> <4A915E6C.2060000@aws-net.org.ua> X-Mailer: Sylpheed 2.6.0 (GTK+ 2.16.1; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Len Conrad , freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 19:28:15 -0000 On Sun, 23 Aug 2009 18:21:16 +0300 Artyom Viklenko wrote: > Len Conrad wrote: > > I've used bruteblock, which manages ipfw, for blocking SMTP > > attackers and reducing smtp connects by 10s of 1000s per day. > > > > But bruteblock, which hasn't moved in 3 years, logged a lot of > > errors like "failed to ..." which didn't seem to bother its > > effectiveness, but was concerning, and ugly. > > > > Anybody know of anything similar for pf? > > > > ports/security/sshguard-pf Mentioning that, why dont you take a look at: http://blocksshd.sourceforge.net/ -- Best regards, Nickola From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 21:54:01 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A393106568C for ; Sun, 23 Aug 2009 21:54:01 +0000 (UTC) (envelope-from danger@FreeBSD.org) Received: from services.rulez.sk (services.rulez.sk [92.240.234.125]) by mx1.freebsd.org (Postfix) with ESMTP id 54FB68FC1D for ; Sun, 23 Aug 2009 21:54:01 +0000 (UTC) Received: from localhost (services.rulez.sk [92.240.234.125]) by services.rulez.sk (Postfix) with ESMTP id 44DC5133446C; Sun, 23 Aug 2009 23:43:02 +0200 (CEST) X-Virus-Scanned: amavisd-new at rulez.sk Received: from services.rulez.sk ([92.240.234.125]) by localhost (services.rulez.sk [92.240.234.125]) (amavisd-new, port 10024) with ESMTP id WEm9vATZApyU; Sun, 23 Aug 2009 23:43:01 +0200 (CEST) Received: from danger-mbp.local (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: danger@rulez.sk) by services.rulez.sk (Postfix) with ESMTPSA id 758B9133442E; Sun, 23 Aug 2009 23:43:01 +0200 (CEST) Message-ID: <4A91B7E5.8050007@FreeBSD.org> Date: Sun, 23 Aug 2009 23:43:01 +0200 From: Daniel Gerzo Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Len Conrad References: <200908230132343.SM01728@W500.Go2France.com> In-Reply-To: <200908230132343.SM01728@W500.Go2France.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 21:54:01 -0000 Len Conrad wrote: > I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > Anybody know of anything similar for pf? security/bruteforceblocker -- S pozdravom / Best regards Daniel Gerzo, FreeBSD committer From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 22:14:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DA3B1065672 for ; Sun, 23 Aug 2009 22:14:41 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 0734A8FC17 for ; Sun, 23 Aug 2009 22:14:40 +0000 (UTC) Received: by ewy5 with SMTP id 5so430598ewy.36 for ; Sun, 23 Aug 2009 15:14:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=FojdPXluXdrUdpwpVcGHzbf3oltrFTayydtlniw4Tt4=; b=QpdbeHA/0VjGxfiKT6th/7EIYZ9nRTn8JpDoBDPIJEnr6aL3tUb/MiGksMFmztmihh PC9WhAPg1DTxNS4vzW6lW3d5xyeqeL9Ns/6xQ4A6R+IJieptZqTS2cIvoinqS2In069j VSwdTYCIWhvDho8h4xMDb3lNftBQAR1Wtnnls= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=ciFnLWRc+FcBiNMIbAYCSNh1CKrGpdVuWTh6Kpwh3fLQ6K+Z1AIYpXk0KpyoCiDxPZ WXvbWoVm9880aQHOujAqCmRTN7Fj3evVbw/t4PqqHg2L03PMLiiw3QHDR4QtDMTu4D+o kDxZVlTmRIcdF6qhmJg/H0e0iK4jp9+XfFmdc= MIME-Version: 1.0 Received: by 10.210.11.13 with SMTP id 13mr4039646ebk.52.1251065679946; Sun, 23 Aug 2009 15:14:39 -0700 (PDT) In-Reply-To: <4A91B7E5.8050007@FreeBSD.org> References: <200908230132343.SM01728@W500.Go2France.com> <4A91B7E5.8050007@FreeBSD.org> Date: Mon, 24 Aug 2009 00:14:39 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 22:14:41 -0000 Hi guys, I'm using bruteforceblocker at the moment on my systems, thanks for this great utility Daniel! Can you tweak it to be able to get the ips from proftpd or any other log, or its working out of the box, you just have to set it up in syslog.conf(didn't see that feature in the doc.)? Or for these things sshguard is more appropiate? Thanks, Best Regards, Repcsi 2009/8/23 Daniel Gerzo > Len Conrad wrote: > >> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and >> reducing smtp connects by 10s of 1000s per day. >> Anybody know of anything similar for pf? >> > > security/bruteforceblocker > > -- > S pozdravom / Best regards > Daniel Gerzo, FreeBSD committer > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Aug 24 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9083110656A3 for ; Mon, 24 Aug 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 75DE58FC1A for ; Mon, 24 Aug 2009 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7OB712o048682 for ; Mon, 24 Aug 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7OB70Sv048678 for freebsd-pf@FreeBSD.org; Mon, 24 Aug 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Aug 2009 11:07:00 GMT Message-Id: <200908241107.n7OB70Sv048678@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 01:52:10 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC586106568D for ; Tue, 25 Aug 2009 01:52:10 +0000 (UTC) (envelope-from danger@FreeBSD.org) Received: from services.rulez.sk (services.rulez.sk [92.240.234.125]) by mx1.freebsd.org (Postfix) with ESMTP id 93C9B8FC08 for ; Tue, 25 Aug 2009 01:52:10 +0000 (UTC) Received: from localhost (services.rulez.sk [92.240.234.125]) by services.rulez.sk (Postfix) with ESMTP id ADED9133448E; Tue, 25 Aug 2009 03:52:09 +0200 (CEST) X-Virus-Scanned: amavisd-new at rulez.sk Received: from services.rulez.sk ([92.240.234.125]) by localhost (services.rulez.sk [92.240.234.125]) (amavisd-new, port 10024) with ESMTP id j6wEcpVMDHA5; Tue, 25 Aug 2009 03:52:08 +0200 (CEST) Received: from [10.50.0.2] (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: danger@rulez.sk) by services.rulez.sk (Postfix) with ESMTPSA id 99A61133443D; Tue, 25 Aug 2009 03:52:08 +0200 (CEST) Message-ID: <4A9343C8.3080101@FreeBSD.org> Date: Tue, 25 Aug 2009 03:52:08 +0200 From: Daniel Gerzo Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Bal=E1zs_M=E1t=E9ffy?= References: <200908230132343.SM01728@W500.Go2France.com> <4A91B7E5.8050007@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 01:52:10 -0000 Balázs Mátéffy wrote: > Hi guys, > > I'm using bruteforceblocker at the moment on my systems, thanks for this > great utility Daniel! > > Can you tweak it to be able to get the ips from proftpd or any other log, or > its working out of the box, you just have to set it up in syslog.conf(didn't > see that feature in the doc.)? > > Or for these things sshguard is more appropiate? Check the /usr/local/sbin/bruteforceblocker file and edit the line which looks like the following: if (/.*Failed password.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) port.*/i || ... You just need to add any regular expression that meets your requirements and set the syslog up so that the logs are directed to bruteforceblocker as well. -- S pozdravom / Best regards Daniel Gerzo, FreeBSD committer From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 10:04:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28AD8106568D for ; Tue, 25 Aug 2009 10:04:27 +0000 (UTC) (envelope-from rivanr@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id A77CE8FC0C for ; Tue, 25 Aug 2009 10:04:26 +0000 (UTC) Received: by bwz2 with SMTP id 2so1853028bwz.43 for ; Tue, 25 Aug 2009 03:04:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=wLGkS4P1fShKP+QCf/o3n5QYAbK+xWLj1fPonASsB50=; b=fwMSoqEq12PPi1JQP5CUU1NIRv07RuCiGNaDsRkPImDHxswRz81z9meRIQ2SfqDuEq kereSLTca23p3BNWHXGngL+njgevXoxdOy2xLkqz1b5xmKt+oua2B5Qjco2WRN6zZ+fF VuxW4LZQuaFh5a8jrGEUlwb/TKZf3/AsxdtZo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=T2B7XnsG1EDw6gfaPtljI7l39EZiLZnabVjX+zGh9e5YgmBzcI2APUVFOBDquwf8+K ABAMK58/oJlDmcBUvwKugxr2YGsu8AfNVe/h5UaRVx0ffBSeF4EMCWtmK1fPKecWSqPD spXXMebX6SbSO4QYIAI7EGvOU3OE6MbkgzaNE= Received: by 10.103.85.12 with SMTP id n12mr2518124mul.29.1251193348856; Tue, 25 Aug 2009 02:42:28 -0700 (PDT) Received: from azdaja.softwarehood.com ([95.180.33.218]) by mx.google.com with ESMTPS id 23sm195430mum.5.2009.08.25.02.42.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 25 Aug 2009 02:42:28 -0700 (PDT) Message-ID: <4A93B203.2000305@gmail.com> Date: Tue, 25 Aug 2009 11:42:27 +0200 From: Ivan Radovanovic User-Agent: Thunderbird 2.0.0.22 (X11/20090708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Positive condition for adding in the table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 10:04:27 -0000 I am new into pf configuration and I am curious if it is possible to add some host into table in firewall rules if some conditions are met (not if they are broken). I was thinking about some way to prevent port scanning of machine and what came to me as obvious way to do it is this (in some pseudocode) block all communication with bad_guys allow all communication with good_guys allow any communication with my open port and put ip in good_guys table block sending any rst packet from me and put ip in bad_guys table /* somebody tried to connect to non-open port */ /* more criteria to remove someone from good_guys and put in bad_guys, according to connection rate, etc */ Anyway when I tried to code this into pf rules I discovered that I can't put host into table according to positive condition. Is there some workaround for this? From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 13:03:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D19D1065705 for ; Tue, 25 Aug 2009 13:03:20 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-yw0-f202.google.com (mail-yw0-f202.google.com [209.85.211.202]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6E58FC22 for ; Tue, 25 Aug 2009 13:03:19 +0000 (UTC) Received: by ywh40 with SMTP id 40so4657422ywh.14 for ; Tue, 25 Aug 2009 06:03:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=ZjhVyyN8I0CkB0CT2a/b1NMwHenbb0qkvzommkBnjIQ=; b=kPm0EoNvmzMx+piQzqs5VeUDqku9X/s9zNmg8PRwsp6mjrMMiRz6Fbw7TQsg1g3abE aq/BTQN/Lrifc7velO9h/dg9dcqmr9zk0HP+FXPpfmlTPojprRUNsbd0sveZcp0DE+rc zg2JRBOGli7BSZVHYxOTGrm7NMAtZlpBGZV8I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=nZljVcaDBlvL67kqNRTNd+O0udJ5FFTDRVT7IgZtQJ1u4w53mJzaAOGQy78PZUkumk NNlQZWdDLpltbkRiAmt/UMO5iAJiR93cOxd5rQGKeZthFQeTDwYfVE4hVvjHm0YMd3g4 EUCXksUsRCgKXUQVFZqwSu0BQYafQg5W2iqQg= MIME-Version: 1.0 Received: by 10.101.10.13 with SMTP id n13mr5953631ani.88.1251203994457; Tue, 25 Aug 2009 05:39:54 -0700 (PDT) From: Maxim Khitrov Date: Tue, 25 Aug 2009 08:39:34 -0400 Message-ID: <26ddd1750908250539l79735cabg4ce99c4eb445f61c@mail.gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Filtering on multi-interface firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 13:03:20 -0000 Hello all, A quick question regarding the behavior of FreeBSD and pf when you have multiple local interfaces. In my case, I have a Soekris net5501 board with one interface being the uplink to ISP and the other three dedicated to separate networks. There should be no traffic passing from one network to the other and no one (except for a few admin IPs) should be able to connect to any firewall port, especially ssh. So to accomplish this, I have a default "block" rule followed by what traffic is allowed to pass. The following rule is used to permit internet traffic from one of the LANs: pass in quick on $int_if from ($int_if:network) to !($int_if) tag INET When this packet goes out on $ext_if, it is processed by a nat rule followed by another pass: nat on $ext_if tagged INET -> ($ext_if:0) pass out quick on $ext_if queue (def, pri) This part should work without problems (I say "should" because I don't have the ability to test all of this right now). But my question is about what happens if someone on $int_if network tries to connect to the IP assigned to $ext_if or one of the other two interfaces? It seems to me that this packet would be passed when coming in on $int_if, because the "!($int_if)" portion of the rule is satisfied. Once the packet makes it to the kernel, would the system then recognize that it is the final destination for that packet and let it go to whatever port was specified (ssh, for example)? What I'm looking for is a way to define a "pass in" rule, so long as the destination is guaranteed not to be the firewall itself, and I'm not sure if "!($int_if)" accounts for this other scenario. I know that I can create a table containing "self," but then the ruleset would need to be reloaded for every IP change. Is there some other way to specify "pass this packet in only if it isn't addressed to any local interface?" - Max From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 15:14:00 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC79A1065693 for ; Tue, 25 Aug 2009 15:14:00 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id A42BF8FC28 for ; Tue, 25 Aug 2009 15:14:00 +0000 (UTC) Received: from fcnoos-fw03.freecode.no ([88.87.57.60] helo=thingy.bsdly.net.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.69) (envelope-from ) id 1Mfxih-0002dz-1Z for freebsd-pf@freebsd.org; Tue, 25 Aug 2009 17:13:59 +0200 To: freebsd-pf@freebsd.org References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Tue, 25 Aug 2009 17:13:27 +0200 In-Reply-To: (Igor Mozolevsky's message of "Sun, 23 Aug 2009 02:07:23 +0100") Message-ID: <87eir0sz8o.fsf@thingy.bsdly.net> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:14:01 -0000 Igor Mozolevsky writes: >> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > [snip] > >> Anybody know of anything similar for pf? > > http://www.bgnett.no/~peter/pf/en/spamd.setup.html OP more likely wants something like state tracking with overload tables, ie http://home.nuug.no/~peter/pf/en/bruteforce.html or similar (yes, please update your bookmarks to point to the nuug site, the bgnett one is getting stale). It's worth noting that the overload tables method is not limited to specific services as long as you can dream up sensible criteria and some useful action to take on the hosts that end up in the overload list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 15:28:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79ECA106568B for ; Tue, 25 Aug 2009 15:28:12 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 326968FC0C for ; Tue, 25 Aug 2009 15:28:12 +0000 (UTC) Received: from fcnoos-fw03.freecode.no ([88.87.57.60] helo=thingy.bsdly.net.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.69) (envelope-from ) id 1MfxwR-00058C-AW for freebsd-pf@freebsd.org; Tue, 25 Aug 2009 17:28:11 +0200 To: freebsd-pf@freebsd.org References: <4A93B203.2000305@gmail.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Tue, 25 Aug 2009 17:27:40 +0200 In-Reply-To: <4A93B203.2000305@gmail.com> (Ivan Radovanovic's message of "Tue, 25 Aug 2009 11:42:27 +0200") Message-ID: <87ab1nud5f.fsf@thingy.bsdly.net> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Positive condition for adding in the table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:28:12 -0000 Ivan Radovanovic writes: > I am new into pf configuration and I am curious if it is possible to add > some host into table in firewall rules if some conditions are met (not > if they are broken). There are a couple of apps out there that will update pf tables for you based on various conditions. One is authpf (a non-interactive user shell, frequently used for stuff like http://home.nuug.no/~peter/pf/en/vegard.authpf.html), likely something to build on. Then I was going to write that dhcpd can manipulate tables (for example, adding addresses it has assigned to a pf table), but then I realized that OpenBSD's dhcpd is not identical to the FreeBSD one so that particular feature may not be available immediately to readers of this list. Tables are nice, more apps that interface with pf through tables would likely be welcome. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 15:30:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D721106564A for ; Tue, 25 Aug 2009 15:30:53 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id 400098FC1C for ; Tue, 25 Aug 2009 15:30:52 +0000 (UTC) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.3/8.14.2) with ESMTP id n7PFIDtH021823 for ; Tue, 25 Aug 2009 08:18:13 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.3/8.14.3) with ESMTP id n7PFICmq075152 for ; Tue, 25 Aug 2009 08:18:12 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.3/8.14.3/Submit) id n7PFICgE075151 for freebsd-pf@freebsd.org; Tue, 25 Aug 2009 08:18:12 -0700 (PDT) (envelope-from freebsd@optimis.net) Date: Tue, 25 Aug 2009 08:18:12 -0700 From: George Davidovich To: freebsd-pf@freebsd.org Message-ID: <20090825151812.GA75010@marvin.optimis.net> References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> <4A914FD1.7070500@bals.org> <200908231748187.SM01728@W500.Go2France.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200908231748187.SM01728@W500.Go2France.com> User-Agent: Mutt/1.5.19 (2009-01-05) Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:30:53 -0000 On Sun, Aug 23, 2009 at 10:49:24AM -0500, Len Conrad wrote: > > n 08/22/2009 10:57 PM Peter Maxwell wrote: > > > 2009/8/23 Len Conrad : > > > > I'm looking for something like bruteblock that logwatches (smtp, > > > > ssh, ftp, whatever) and inserts/removes TCP block rules into pf > > > > for x hours, so the protocol daemons are involved. If you're looking for a general-purpose solution, see /usr/ports/sysutils/grok. The FreeBSD man cgi doesn't seem to want to show the manpage, so here's an alternate link for more information: http://www.semicomplete.com/projects/grok/ > > > Before implementing something like this, I would urge caution: if > > > what you're asking was actually of any use, someone else would > > > probably have done it properly. I can't imagine how log entries > > > from an ftp server, say, are going to be related to your smtp > > > server security? If it's a simple connection management, then > > > max-src-conn/max-src-conn-rate might be a more robust solution. > > > > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains > > how to use max-src-conn-rate and expiretable. > > > > # pkg_info -x expiretable > > Information for expiretable-0.6: > > > > Comment: > > Utility to remove entries from the pf(4) table based on their age > > I have no problem putting IPs into pf, it's expiring them that was > blocking me, but expiretable fixes that. >From pfctl(8): -T command [address ...] Specify the command (may be abbreviated) to apply to the table. Commands include: ... -T expire number Delete addresses which had their statistics cleared more than number seconds ago. For entries which have never had their statistics cleared, number refers to the time they were added to the table. IIRC, the expire command was added in 7.0 or 7.1. -- George