Re: How to add rule with pfctl...
Well I think that you mean to add this: ext_if=rl0 # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if=rl0 external_addr=192.168.1.11 block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). Agus wrote: 2007/9/15, Mel [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/18, Erik Osterholm [EMAIL PROTECTED]: On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote: Agus wrote: 2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED] 2007/9/17, Goltsios Theodore [EMAIL PROTECTED]: Well I think that you mean to add this: ext_if=rl0 # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if=rl0 external_addr=192.168.1.11 block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). I knowTheodore, i've done it exactly like u put itfirst declare macros and then the rule but i couldn't block access to the machinethis rule is supposed to block all access to port 22 on the machine coming from 192.168.0.1but I can access from there... i checked pfctl -e pfctl -sa and everything seems to be loaded... Thanks... Are you sure that you're trying to block only from a specific host? The source address shouldn't change, even if you're doing nat. I would assume that you'd want an 'any' keyword there, rather than a specific IP address. Also, you can add hosts to the table automatically based on number of connections over a given period of time: block quick from blackhole pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state (max-src-conn-rate 5/30, overload blackhole flush global) The first rule blocks hosts from the blackhole table. The second adds hosts to the blackhole table and kills their state if they connect more than 5 times in 30 seconds. This is obviously tunable-- 3/30 would be 3 connections in 30 seconds, and 8/60 would be 8 connections in 60 seconds. Erik Thanks Erik, That was very helpfull, specially the con-rate... First i already tried the table rule...but as i wasnt getting any results i figured i tried first only with a simple rule to see if it works and to make the question less ambiguousthats why i posted this rule i want to block from a specific host, which if i make this rule works will be a list of hosts in a table..and instead of blocking them because of their conn-rate i will block them by a SEC rule reading from syslog and i put that ip to block cause its my router's ip(192.168.0.1) and when i try to connect from my PC(192.168.0.2) to my server (192.168.1.11) i would want it to block me..just for testingbut i can't do itmi router has NAT so thats why i am blocking its IP and not mi PC... Hopes it understands Thanks a lot... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/18, Agus [EMAIL PROTECTED]: 2007/9/18, Erik Osterholm [EMAIL PROTECTED]: On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote: Agus wrote: 2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED] : On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED] 2007/9/17, Goltsios Theodore [EMAIL PROTECTED]: Well I think that you mean to add this: ext_if=rl0 # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if=rl0 external_addr=192.168.1.11 block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). I knowTheodore, i've done it exactly like u put itfirst declare macros and then the rule but i couldn't block access to the machinethis rule is supposed to block all access to port 22 on the machine coming from 192.168.0.1but I can access from there... i checked pfctl -e pfctl -sa and everything seems to be loaded... Thanks... Are you sure that you're trying to block only from a specific host? The source address shouldn't change, even if you're doing nat. I would assume that you'd want an 'any' keyword there, rather than a specific IP address. Also, you can add hosts to the table automatically based on number of connections over a given period of time: block quick from blackhole pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state (max-src-conn-rate 5/30, overload blackhole flush global) The first rule blocks hosts from the blackhole table. The second adds hosts to the blackhole table and kills their state if they connect more than 5 times in 30 seconds. This is obviously tunable-- 3/30 would be 3 connections in 30 seconds, and 8/60 would be 8 connections in 60 seconds. Erik Thanks Erik, That was very helpfull, specially the con-rate... First i already tried the table rule...but as i wasnt getting any results i figured i tried first only with a simple rule to see if it works and to make the question less ambiguousthats why i posted this rule i want to block from a specific host, which if i make this rule works will be a list of hosts in a table..and instead of blocking them because of their conn-rate i will block them by a SEC rule reading from syslog and i put that ip to block cause its my router's ip(192.168.0.1) and when i try to connect from my PC(192.168.0.2) to my server ( 192.168.1.11) i would want it to block me..just for testingbut i can't do itmi router has NAT so thats why i am blocking its IP and not mi PC... Hopes it understands Thanks a lot... Guys thanks a lot and sorry...i solved it...it was my mistakei had define my interface with a typo...instead of i I had put yi fixed it and now it works great...but i'd like to thank all of you guys and
Re: How to add rule with pfctl...
2007/9/15, Mel [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Great...Thanks Mel, this was what i was looking...although not fot spammers but for ssh brute-force attacks detected by SEC Very nice... See ya PS: Question...Is there a log where i can look if pf is down, so i can check with SEC...? thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/15, Mel [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
Agus wrote: 2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED] 2007/9/17, Goltsios Theodore [EMAIL PROTECTED]: Well I think that you mean to add this: ext_if=rl0 # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if=rl0 external_addr=192.168.1.11 block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). I knowTheodore, i've done it exactly like u put itfirst declare macros and then the rule but i couldn't block access to the machinethis rule is supposed to block all access to port 22 on the machine coming from 192.168.0.1but I can access from there... i checked pfctl -e pfctl -sa and everything seems to be loaded... Thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote: Agus wrote: 2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]: On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi, I put this on /etc/pf.conf external_addr=192.168.1.11 which is the address of the only interface. This machine isn't a router. block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh but when i try to connect from 192.168.0.1 i connect with no problems...this rule is to block access.. What am i doing wrong..is my first time with pf... Thankss... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED] 2007/9/17, Goltsios Theodore [EMAIL PROTECTED]: Well I think that you mean to add this: ext_if=rl0 # Or whatever your interface is ifconfig helps to find out block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if port ssh or even: ext_if=rl0 external_addr=192.168.1.11 block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $external_addr port ssh Think of macros as variables. As long as you don't define them they don't exist (are empty). I knowTheodore, i've done it exactly like u put itfirst declare macros and then the rule but i couldn't block access to the machinethis rule is supposed to block all access to port 22 on the machine coming from 192.168.0.1but I can access from there... i checked pfctl -e pfctl -sa and everything seems to be loaded... Thanks... Are you sure that you're trying to block only from a specific host? The source address shouldn't change, even if you're doing nat. I would assume that you'd want an 'any' keyword there, rather than a specific IP address. Also, you can add hosts to the table automatically based on number of connections over a given period of time: block quick from blackhole pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state (max-src-conn-rate 5/30, overload blackhole flush global) The first rule blocks hosts from the blackhole table. The second adds hosts to the blackhole table and kills their state if they connect more than 5 times in 30 seconds. This is obviously tunable-- 3/30 would be 3 connections in 30 seconds, and 8/60 would be 8 connections in 60 seconds. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
How to add rule with pfctl...
Hi list, I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf I've done it with iptables but i can't get it with pf.Hope u understand what i am trying to say... Thanks and have a nice weekend... Agustin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
On Saturday 15 September 2007 23:18:17 Agus wrote: I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf If you don't need to add a rule but an IP, then tables are your friend. Example for /etc/pf.conf: # Placeholder for spammers table, non-routable network IP. table spammers persist { 192.168.111.111 } # Block this traffic block return-rst in log on $ext_if proto tcp from spammers port smtp Then on the command line: /sbin/pfctl -t spammers -Tadd ip.from.new.spammer And to delete: /sbin/pfctl -t spammers -Tdel ip.from.old.spammer -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]