Date: Tue, 27 Dec 2005 14:29:02 +0200 (EET) From: "Anton Butsyk" <butsyk@mail.etsplus.net> To: pf@freebsd.org Subject: Re: Block rule not working... Message-ID: <56746.193.110.17.129.1135686542.squirrel@mail.etsplus.net> In-Reply-To: <43B0574D.30406@forrie.com> References: <43B0574D.30406@forrie.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> My pf.conf is below.
>
> I have this idiot at 24.147.135.133 who has been attempting to break my
> webserver for about a week - presumably he's running some script. Port
> 80 of his machine has an impressive MP3 collection.
>
> Comcast doesn't care, so my reports have been unheard.
>
> I have rules to block this /24, but he manages to get through anyway.
> First, I block via a negation to the <abuse> table, second I have an
> explicit block rule to block all traffic from anyone in that table.
>
> Since the block rule comes first before the "pass" rule below, I would
> presume it would work.
>
> I can match it in the table, it's there.
>
> Can anyone tell me what's wrong with the rules so I can correct this ASAP.
>
>
> Thank you.
>
>
> ext_if = "fxp0"
> int_if = "em0"
> prv_if = "em0"
> server = "192.168.1.2/32"
> ext_ad = "xx.xx.xx.xx/32"
> prv_ad = "192.168.1.2/32"
> prv_net = "192.168.1.0/24"
>
>
> tcp_services = "imap, imaps, smtp, smtps"
>
>
> set require-order yes
> set limit { frags 30000, states 25000 }
> set block-policy drop
> set optimization normal
>
>
> set timeout tcp.first 20
> set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
>
>
>
> table <badips> persist file "/etc/pf.d/spammers" \
> file "/etc/pf.d/abuse" \
> file "/etc/pf.d/geoip"
>
> table <spammers> persist file "/etc/pf.d/spammers"
> *
> table <abuse> persist file "/etc/pf.d/abuse"*
>
> table <geoip> persist file "/etc/pf.d/spammers"
>
>
> scrub all reassemble tcp no-df
> scrub in all fragment reassemble
> scrub out all random-id
>
>
>
>
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \
> port { $tcp_services } -> $server
>
> *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
> port 80 -> $server port 80*
>
> *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
> port 443 -> $server port 443*
>
>
>
> antispoof quick for $ext_if
>
> set skip on lo0
>
> block log all
> *block in quick on $ext_if from <abuse> to any*
> block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps,
> imap, imaps }
>
> pass quick on $int_if inet all keep state
>
>
> pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \
> modulate state
>
> pass in on $ext_if inet proto tcp from any to any port { 80, 443 }
> modulate state
>
>
>
> pass in on $ext_if inet proto udp all keep state
>
> pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32)
>
>
> pass out quick on $ext_if inet proto tcp all \
> keep state
>
> pass out quick on $ext_if inet proto udp all keep state
>
> pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
> --
Hi, Forrest.
Is pf enabled?
Is $ext_if the interface for 24.147.135.133's packets?
Why don't you try to replace <abuse> definition with
table <abuse> const { 24.147.135.133, 24.147.135/24 }
or any addresses you want and rule without iface:
block in quick from <abuse> to any
--
Regards,
Anton Butsyk
http://studiori.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56746.193.110.17.129.1135686542.squirrel>