Getting tables to work in PF
Dave Horsfall
dave at horsfall.org
Mon Nov 3 10:41:16 UTC 2014
On Mon, 3 Nov 2014, Ermal Luçi wrote:
> - Full ruleset if you can disclose
As attached - no secrets in it. It's somewhat loose because it's behind
another firewall (the ADSL modem) that just lets SMTP/HTTP/SSH-secret-port
through to it (I've masked the SSH port).
> - Make sure with output of pfctl -s all that pf is actually enabled to
> do filtering on packets.
Attached; the empty "FILTER RULES" looks a bit suspicious...
> NOTE: You enable pf by running pfctl -e
I know; I was using "service pf restart" as well.
--
Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
-------------- next part --------------
# netman.cust.fsi.io
216.66.15.120
-------------- next part --------------
#
# Stripped down heavily from KD (OpenBSD).
# This box has no other interfaces, and is facing the net.
#
# In other words, there is no internal interface; this box is
# all that there is, hence is self-firewalled.
#
ext_if = "fxp0"
set block-policy drop
set skip on lo
set loginterface egress # Can't remember what this does
#set ruleset-optimization basic
#
# Does this actually create the table? Because it sure as hell doesn't
# load it... For that I need "pfctl [-v] -t spammers -Tadd x.x.x.x"
#
table <spammers> persist file "/etc/spammers"
#
# SMTP mostly, but could use for www, ssh, etc.
#
# Cleanse every so often with "pfctl -t woodpeckers -T seconds.
#
table <woodpeckers> persist
scrub in # Unfrag packets
block all # But wait, there's more!
pass out quick all keep state
antispoof log quick for $ext_if inet
block in log quick on $ext_if from <spammers> to any
block in log quick on $ext_if from <woodpeckers>
# No more than 10/IP, or 5/minute should be plenty.
pass inet proto tcp from any port smtp \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/60, \
overload <woodpeckers> flush global)
# Problem packet prevention
block in log quick from no-route to any
block in log quick on $ext_if from any to 255.255.255.255
block in log quick from any to 0.0.0.0/32
block in log quick from { 224.0.0.0/4, 255.255.255.255/32 } to any
# What about 44/8?
# Testing
#block in quick log on $ext_if proto tcp port smtp from any to any
# Allowed services handled here
# DH - NNNN is where I park my SSHD
pass in quick on $ext_if proto tcp from any to any port \
{ smtp, www, domain, NNNN, sftp } flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port { domain, ntp } keep state
pass in quick on $ext_if inet proto icmp from any to any icmp-type unreach
pass in quick on $ext_if inet proto igmp from any to any
-------------- next part --------------
FILTER RULES:
INFO:
Status: Enabled for 0 days 14:10:09 Debug: Urgent
State Table Total Rate
current entries 0
searches 115778 2.3/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 115778 2.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 408 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
TABLES:
spammers
woodpeckers
OS FINGERPRINTS:
696 fingerprints loaded
More information about the freebsd-pf
mailing list