/etc/periodic/security/520.pfdenied (fwd)

Dave Horsfall dave at horsfall.org
Thu Nov 27 19:27:33 UTC 2014 

Any nibbles on this?  I'd offer to fix it as I said, but only if I knew 
just what it was supposed to be doing in the first place.

Seems that it could also use an option in /etc/rc.conf to reset the stats 
after printing them, otherwise they'll just keep accumulating; on the 
whole, it looks very much like a work in progress.

On the same (related) subject, I'm using <spammers> (manually added), and 
<woodpeckers> (automatically added).  I would very much like to expire 
these, say 24 hours after they were last added and/or triggered, but there 
seems to be no direct way of doing this.  The closest that I can find 
would be the description under "-T expire":

    Delete addresses which had their statistics cleared cleared more than 
    /number/ seconds ago.  For entries which have never had their 
    statistics cleared, /number/ refers to the time they were added to the 
    table.

Judicious use of "-v" would appear to be indicated here, along with the 
aforementioned optional clearing.

-- 
Dave Horsfall DTM (VK2KFU)  "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)

---------- Forwarded message ----------
Date: Sat, 15 Nov 2014 06:31:46 +1100 (EST)
From: Dave Horsfall <dave at horsfall.org>
To: FreeBSD PF List <freebsd-pf at freebsd.org>
Subject: /etc/periodic/security/520.pfdenied

Not quite sure if this belongs here or elsewhere; it is PF-related, after 
all, so please refer me somewhere else if necessary.

What is the actual intent of this script?  It seems to be showing every 
rule that *could* have triggered, regardless of whether it *did* trigger.

I'm happy to submit a patch if necessary, but I'll need to know what the 
script is supposed to be doing.

(Yes, it's a basic firewall, but it's protected by a more vicious one 
upstream; PF merely fine-tunes what gets through to the exposed server.)

-----

aneurin.horsfall.org pf denied packets:
+++ /tmp/security.8uFzJ1HL	2014-11-15 03:09:11.000000000 +1100
+block drop all [ Evaluations: 27332 Packets: 10696 Bytes: 471264 States: 0 ]
+block drop in log quick on fxp0 from <spammers> to any [ Evaluations: 22598 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick on fxp0 from <woodpeckers> to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick on ! fxp0 inet from 10.0.0.0/8 to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick inet from 10.0.0.3 to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick from no-route to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on fxp0 inet from any to 255.255.255.255 [ Evaluations: 22583 Packets: 7 Bytes: 2296 States: 0 ]
+block drop in log quick inet from any to 0.0.0.0 [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick inet from 224.0.0.0/4 to any [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick inet from 255.255.255.255 to any [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on fxp0 inet from any to 224.0.0.1 [ Evaluations: 22576 Packets: 11246 Bytes: 489992 States: 0 ]

-----

Thanks.

-- 
Dave Horsfall DTM (VK2KFU)  "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)

More information about the freebsd-pf mailing list