Date: Mon, 26 Dec 2005 15:49:17 -0500 From: Forrest Aldrich <forrie@forrie.com> To: pf@freebsd.org Subject: Block rule not working... Message-ID: <43B0574D.30406@forrie.com>
next in thread | raw e-mail | index | archive | help
My pf.conf is below.
I have this idiot at 24.147.135.133 who has been attempting to break my
webserver for about a week - presumably he's running some script. Port
80 of his machine has an impressive MP3 collection.
Comcast doesn't care, so my reports have been unheard.
I have rules to block this /24, but he manages to get through anyway.
First, I block via a negation to the <abuse> table, second I have an
explicit block rule to block all traffic from anyone in that table.
Since the block rule comes first before the "pass" rule below, I would
presume it would work.
I can match it in the table, it's there.
Can anyone tell me what's wrong with the rules so I can correct this ASAP.
Thank you.
ext_if = "fxp0"
int_if = "em0"
prv_if = "em0"
server = "192.168.1.2/32"
ext_ad = "xx.xx.xx.xx/32"
prv_ad = "192.168.1.2/32"
prv_net = "192.168.1.0/24"
tcp_services = "imap, imaps, smtp, smtps"
set require-order yes
set limit { frags 30000, states 25000 }
set block-policy drop
set optimization normal
set timeout tcp.first 20
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
table <badips> persist file "/etc/pf.d/spammers" \
file "/etc/pf.d/abuse" \
file "/etc/pf.d/geoip"
table <spammers> persist file "/etc/pf.d/spammers"
*
table <abuse> persist file "/etc/pf.d/abuse"*
table <geoip> persist file "/etc/pf.d/spammers"
scrub all reassemble tcp no-df
scrub in all fragment reassemble
scrub out all random-id
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \
port { $tcp_services } -> $server
*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
port 80 -> $server port 80*
*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
port 443 -> $server port 443*
antispoof quick for $ext_if
set skip on lo0
block log all
*block in quick on $ext_if from <abuse> to any*
block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps, imap, imaps }
pass quick on $int_if inet all keep state
pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \
modulate state
pass in on $ext_if inet proto tcp from any to any port { 80, 443 } modulate state
pass in on $ext_if inet proto udp all keep state
pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32)
pass out quick on $ext_if inet proto tcp all \
keep state
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B0574D.30406>