I've a few geoip orientated tables for which I want to block certain
traffic.
I'm able to match the addresses via pfctl, though the connections from
these IP spaces are still getting through, and I'm puzzled.
I rdr inbound connections to an RFC addressed server. All mail and web
are working fine, but these tables are not blocking. I confirm this by
watching the logs for rejected messages (I augment the filter with an
MTA access list).
Disclaimer: I'm a PF newbie, converting from another firewall system
(ipfw2).
As far as I can tell, the order of operations is correct. From reading,
I understand using the keyword "quick" on these rules should effectively
match and block immediately without any further processing. I have,
however, tried the same rules sans "quick" with the same problem.
For sake of completion, I'm posting my new pf.conf below - since quoting
the specific section may omit something else that I've overseen.
Any constructive pointers would be appreciated.
Thanks.
_F
============================
BEGIN pf.conf
============================
ext_if = "fxp0"
int_if = "em0"
server = "192.168.1.2/32"
ext_ad = "24.62.xx.xx/32"
prv_net = "192.168.1.0/24"
tcp_services = "imap, imaps, smtp, smtps"
set require-order yes
set limit { frags 30000, states 25000 }
set block-policy drop
set optimization normal
set timeout tcp.first 20
# This is for VoIP (to be done - altq/cbc)
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
# TABLES
table <spammers> persist file "/etc/pf.d/spammers"
table <abuse> persist file "/etc/pf.d/abuse"
table <geoip-apnic> persist { \
58.0.0.0/8, \
61.0.0.0/8, \
124.0.0.0/8, \
126.0.0.0/8, \
168.208.0.0/16, \
196.192.0.0/16, \
202.0.0.0/8, \
210.0.0.0/8, \
218.0.0.0/8, \
220.0.0.0/8, \
222.0.0.0/8 \
}
table <geoip-ripe> persist { \
80.0.0.0/8, \
81.0.0.0/8, \
82.0.0.0/8, \
83.0.0.0/8, \
84.0.0.0/8, \
85.0.0.0/8, \
86.0.0.0/8, \
87.0.0.0/8, \
88.0.0.0/8, \
89.0.0.0/8, \
90.0.0.0/8, \
91.0.0.0/8, \
193.0.0.0/8, \
194.0.0.0/8, \
195.0.0.0/8, \
212.0.0.0/8, \
213.0.0.0/8, \
217.0.0.0/8 \
}
table <geoip-afrinic> persist { \
41.0.0.0/8 \
}
table <geoip-lacnic> persist { \
189.0.0.0/8, \
190.0.0.0/8, \
200.0.0.0/8, \
201.0.0.0/8 \
}
scrub all reassemble tcp no-df
scrub in all fragment reassemble
scrub out all random-id
# REDIRECTION
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
port { $tcp_services } -> $server
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
port { 80, 443 } -> $server
# NAT
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if)
antispoof quick for $ext_if
set skip on lo0
block in on $ext_if all
block out on $ext_if all
# HERE ARE THE TABLE/BLOCK RULES I MENTIONED
block in quick on $ext_if proto { tcp, udp } from { <geoip-apnic>, <geoip-lacnic>,
<geoip-afrinic>, <geoip-ripe> } \
to $ext_ad port 25
block in quick on $ext_if from <abuse>
block in quick on $ext_if proto { tcp, udp } from <spammers> to $ext_ad port 25
# LAN
pass quick on $int_if inet all keep state
# INBOUND
pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \
modulate state
pass in on $ext_if inet proto udp all keep state
pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32)
# OUTBOUND
pass out quick on $ext_if inet proto tcp all \
keep state
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
============================
END pf.conf
============================
