Date: Mon, 26 Dec 2005 15:49:17 -0500 From: Forrest Aldrich <forrie@forrie.com> To: pf@freebsd.org Subject: Block rule not working... Message-ID: <43B0574D.30406@forrie.com>
next in thread | raw e-mail | index | archive | help
My pf.conf is below. I have this idiot at 24.147.135.133 who has been attempting to break my webserver for about a week - presumably he's running some script. Port 80 of his machine has an impressive MP3 collection. Comcast doesn't care, so my reports have been unheard. I have rules to block this /24, but he manages to get through anyway. First, I block via a negation to the <abuse> table, second I have an explicit block rule to block all traffic from anyone in that table. Since the block rule comes first before the "pass" rule below, I would presume it would work. I can match it in the table, it's there. Can anyone tell me what's wrong with the rules so I can correct this ASAP. Thank you. ext_if = "fxp0" int_if = "em0" prv_if = "em0" server = "192.168.1.2/32" ext_ad = "xx.xx.xx.xx/32" prv_ad = "192.168.1.2/32" prv_net = "192.168.1.0/24" tcp_services = "imap, imaps, smtp, smtps" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table <badips> persist file "/etc/pf.d/spammers" \ file "/etc/pf.d/abuse" \ file "/etc/pf.d/geoip" table <spammers> persist file "/etc/pf.d/spammers" * table <abuse> persist file "/etc/pf.d/abuse"* table <geoip> persist file "/etc/pf.d/spammers" scrub all reassemble tcp no-df scrub in all fragment reassemble scrub out all random-id nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \ port { $tcp_services } -> $server *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \ port 80 -> $server port 80* *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \ port 443 -> $server port 443* antispoof quick for $ext_if set skip on lo0 block log all *block in quick on $ext_if from <abuse> to any* block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps, imap, imaps } pass quick on $int_if inet all keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ modulate state pass in on $ext_if inet proto tcp from any to any port { 80, 443 } modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B0574D.30406>