Date: Thu, 9 Jun 2005 13:51:16 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Matt Rechkemmer <tiberius@trancell.org> Cc: freebsd-questions@freebsd.org Subject: Re: pf block question Message-ID: <20050609105116.GA87877@orion.daedalusnetworks.priv> In-Reply-To: <20050609101805.GA11341@sdf.lonestar.org> References: <20050607064323.GA29038@sdf.lonestar.org> <20050607105030.GA44218@orion.daedalusnetworks.priv> <20050609101805.GA11341@sdf.lonestar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-06-09 03:18, Matt Rechkemmer <tiberius@trancell.org> wrote: > On Tue, Jun 07, 2005 at 01:50:30PM +0300, Giorgos Keramidas wrote: > > > > We'd have to see the entire ruleset and a tcpdump of traffic that passes > > through to know what's wrong. > > > > - Giorgos > > Here are the rules as taken from pfctl -sr. I can also provide a copy of > pf.conf, if needed. The user's host is in the "badhosts" table. I've changed > the first three octets of my IPs, for privacy reasons. The intruder's IP in > the tcpdump has also been masked. > > ***sorry about the word wrap*** > > scrub in all fragment reassemble > block drop on fxp0 from <badhosts> to any > block drop all > pass out quick on lo0 all > pass in quick on lo0 all > pass out on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state > pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state Rule matching in PF (as in IP Filter) is "last match wins". The ICMP packets from <badhosts> entries match the following rules: scrub in all fragment reassemble block drop on fxp0 from <badhosts> to any pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state and the last rule wins... If you add "quick" to the `block from <badhosts>' rule, packets from these hosts will immediately be dropped -- which is what you probably want to do, if I have understood what you wrote so far. - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050609105116.GA87877>