On 2020-04-02 08:01, Larry Moore wrote: > I suspect you have a good understanding of pf.
Pretty good I think. As with everything I am always willing to learn more. > Have you included in your script running 'pfctl -k <ip_address>' to kill > any states that may exists after you update your <AUTOBLOCK> table? I haven't yet because I want to watch the effect of doing it. When I see the problem happening I run that manually and watch to see if it stops the attack in its tracks or if I still have to null-route it. Once I know that it is working I will add it to the script. > In pf, like IP Filter, the last matching rule wins. Subject to the "quick" keyword of course. > What can't be determined from the information provided is whether any > connections that have been established from networks you have listed in > the table <FRIENDS>, also appear in the <AUTOBLOCK> table. Absolutely positive. FRIENDS is a static table with exactly eight entries. It is mainly for protection against our office and a few special hosts such as our VoIP provider being locked out. I can guarantee that the IP that I showed in the OP was not a friend. > Removing the 'quick' parameter from the rule for <FRIENDS> will allow > packets to fall through to the next rules. Alternatively, moving the > 'pass' rule to below your 'block' rules will allow any connections > originating from networks listed in your <FRIENDS> table and also exists > in the <AUTOBLOCK> table, will be blocked. It's a safety thing. Even if someone in the office makes a mistake I don't want them blocked. Same for other friends. I haven't seen the issue today. One thing that I did was to move the anti spoof line further up. I thought that anti-spoof would block wherever it was. Could the location be important? -- D'Arcy J.M. Cain Vybe Networks Inc. A unit of Excelsior Solutions Corporation - Propelling Business Forward http://www.VybeNetworks.com/ IM:da...@vybenetworks.com VoIP: sip:da...@vybenetworks.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users