Date: Thu, 31 Jan 2019 12:11:15 +0100 From: ASV <asv@inhio.net> To: Kristof Provost <kristof@sigsegv.be> Cc: questions list <freebsd-questions@freebsd.org> Subject: Re: PF issue since 11.2-RELEASE Message-ID: <c89b0bfc5decb895432b8427e4e70d58c5a7f0c9.camel@inhio.net> In-Reply-To: <20190129193609.GB57976@vega.codepro.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <F26DA908-F2AC-4CBF-8227-A4C3D21865EE@FreeBSD.org> <e336fd332455cc9fe9f722482aae09ed6eeab610.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <a801e46a5c4ca3aaa8bc4d6b270319840908ad44.camel@inhio.net> <20190129193609.GB57976@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-VrYQxHdmG0Kt6vk0O2gL Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Good afternoon, one good news and one bad news. Good news is that it was that bloody zero missing which was "freaking out" PF during the reload. How could I missed that? Perhaps erroneously removed during the upgrade somehow or it was there but not causing problems?! I'll never know. But it's fixed so thank you very much for the good catch! The bad news is that PF is still not enforcing the rules within the anchors. So fail2ban keeps populating the tables where the previously mentioned rules are in place (reposted below) but these IPs keeps bombing me with connection attempts passing the firewall with no problems at all. Killing the states, reloading, restarting (PF and fail2ban) doesn't fix that. # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules block drop quick proto udp from <f2b-asterisk-udp> to any port =3D sip block drop quick proto udp from <f2b-asterisk-udp> to any port =3D sip-tls # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules block drop quick proto tcp from <f2b-asterisk-tcp> to any port =3D sip block drop quick proto tcp from <f2b-asterisk-tcp> to any port =3D sip-tls Is it a known bug? On Tue, 2019-01-29 at 20:36 +0100, Kristof Provost wrote: > On 2019-01-29 20:31:53 (+0100), ASV <asv@inhio.net> wrote: > > OK, I understand. Here it follows my pf.conf: > >=20 > > ext_if=3D"lagg0" > > tun0_if=3D"tun0" > > B01=3D"172.16.3.2" > > K01=3D"172.16.3.3" > > W01=3D"172.16.3.4" > > W03=3D"172.16.3.5" > > K02=3D"172.16.3.6" > > W02=3D"172.16.3.7" > >=20 > > set skip on lo >=20 > Try 'set skip on lo0' >=20 > There have been issues with groups in 'set skip' handling. They > *should* > be fixed in CURRENT, but 11.2 is affected. >=20 > Regards, > Kristof >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" --=-VrYQxHdmG0Kt6vk0O2gL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxS19MACgkQzaQsUNd+ zInsBgf8CVB2bL2n081HRHMk3wc/hbHxqMm9/Z0i3FP8IgVp1hjXG+JaoSI2IF8D A6j2TDpGBMqJEtu/fx7rkPiN2uAyyZMg1HIQPZbmCTZUwyagfMcIRp6BWM2VGc/a OxIgalW+SW+U9xnDVXjaeH/d9tCzvhxK31OKBt2X31cMoxPjphJZttNcj+Um2QW2 F8YDcneYJpaVcHI1LBFY+at+ahtRRR/kjVkI4MQpEwES1wKrqj2ugiW/pu5iFOsy kKabj6Z5JfHVWo5ndLV/iz4TZtGDH/or9TfP3L5FAsfG552OTeOv8zBdSy4mctck /+TB9BXtqS10mrzEioKPZnIUffPenQ== =j7se -----END PGP SIGNATURE----- --=-VrYQxHdmG0Kt6vk0O2gL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c89b0bfc5decb895432b8427e4e70d58c5a7f0c9.camel>