Re: How to add rule with pfctl...
Well I think that you mean to add this:
ext_if=rl0 # Or whatever your interface is ifconfig helps to find out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$ext_if port ssh
or even:
ext_if=rl0
external_addr=192.168.1.11
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
Think of macros as variables. As long as you don't define them they
don't exist (are empty).
Agus wrote:
2007/9/15, Mel [EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/18, Erik Osterholm [EMAIL PROTECTED]:
On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote:
Agus wrote:
2007/9/15, Mel [EMAIL PROTECTED]
[EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with
pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that
and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command
line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your
friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only
interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no
problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
[EMAIL PROTECTED]
2007/9/17, Goltsios Theodore [EMAIL PROTECTED]:
Well I think that you mean to add this:
ext_if=rl0 # Or whatever your interface is ifconfig helps to find out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$ext_if
port ssh
or even:
ext_if=rl0
external_addr=192.168.1.11
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
Think of macros as variables. As long as you don't define them they
don't
exist (are empty).
I knowTheodore, i've done it exactly like u put itfirst declare
macros
and then the rule
but i couldn't block access to the machinethis rule is supposed to
block
all access to port 22 on the machine coming from 192.168.0.1but I
can
access from there...
i checked pfctl -e
pfctl -sa
and everything seems to be loaded...
Thanks...
Are you sure that you're trying to block only from a specific host?
The source address shouldn't change, even if you're doing nat. I
would assume that you'd want an 'any' keyword there, rather than a
specific IP address.
Also, you can add hosts to the table automatically based on number of
connections over a given period of time:
block quick from blackhole
pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep
state (max-src-conn-rate 5/30, overload blackhole flush global)
The first rule blocks hosts from the blackhole table. The second adds
hosts to the blackhole table and kills their state if they connect
more than 5 times in 30 seconds. This is obviously tunable-- 3/30
would be 3 connections in 30 seconds, and 8/60 would be 8 connections
in 60 seconds.
Erik
Thanks Erik, That was very helpfull, specially the con-rate...
First i already tried the table rule...but as i wasnt getting any results i
figured i tried first only with a simple rule to see if it works and to make
the question less ambiguousthats why i posted this rule i want to
block from a specific host, which if i make this rule works will be a list
of hosts in a table..and instead of blocking them because of their conn-rate
i will block them by a SEC rule reading from syslog
and i put that ip to block cause its my router's ip(192.168.0.1) and when i
try to connect from my PC(192.168.0.2) to my server (192.168.1.11) i would
want it to block me..just for testingbut i can't do itmi router has
NAT so thats why i am blocking its IP and not mi PC...
Hopes it understands
Thanks a lot...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/18, Agus [EMAIL PROTECTED]:
2007/9/18, Erik Osterholm [EMAIL PROTECTED]:
On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote:
Agus wrote:
2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]
:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with
pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that
and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to
un-block
the
IP...
So what i need is the command to block an IP address from command
line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your
friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port
smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only
interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no
problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED] [EMAIL PROTECTED]
2007/9/17, Goltsios Theodore [EMAIL PROTECTED]:
Well I think that you mean to add this:
ext_if=rl0 # Or whatever your interface is ifconfig helps to find
out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$ext_if
port ssh
or even:
ext_if=rl0
external_addr=192.168.1.11
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
Think of macros as variables. As long as you don't define them they
don't
exist (are empty).
I knowTheodore, i've done it exactly like u put itfirst declare
macros
and then the rule
but i couldn't block access to the machinethis rule is supposed to
block
all access to port 22 on the machine coming from 192.168.0.1but I
can
access from there...
i checked pfctl -e
pfctl -sa
and everything seems to be loaded...
Thanks...
Are you sure that you're trying to block only from a specific host?
The source address shouldn't change, even if you're doing nat. I
would assume that you'd want an 'any' keyword there, rather than a
specific IP address.
Also, you can add hosts to the table automatically based on number of
connections over a given period of time:
block quick from blackhole
pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep
state (max-src-conn-rate 5/30, overload blackhole flush global)
The first rule blocks hosts from the blackhole table. The second adds
hosts to the blackhole table and kills their state if they connect
more than 5 times in 30 seconds. This is obviously tunable-- 3/30
would be 3 connections in 30 seconds, and 8/60 would be 8 connections
in 60 seconds.
Erik
Thanks Erik, That was very helpfull, specially the con-rate...
First i already tried the table rule...but as i wasnt getting any results
i figured i tried first only with a simple rule to see if it works and to
make the question less ambiguousthats why i posted this rule i want
to block from a specific host, which if i make this rule works will be a
list of hosts in a table..and instead of blocking them because of their
conn-rate i will block them by a SEC rule reading from syslog
and i put that ip to block cause its my router's ip(192.168.0.1) and when
i try to connect from my PC(192.168.0.2) to my server ( 192.168.1.11) i
would want it to block me..just for testingbut i can't do itmi
router has NAT so thats why i am blocking its IP and not mi PC...
Hopes it understands
Thanks a lot...
Guys thanks a lot and sorry...i solved it...it was my mistakei had
define my interface with a typo...instead of i I had put yi fixed it and
now it works great...but i'd like to thank all of you guys and
Re: How to add rule with pfctl...
2007/9/15, Mel [EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
Great...Thanks Mel, this was what i was looking...although not fot spammers
but for ssh brute-force attacks detected by SEC
Very nice...
See ya
PS: Question...Is there a log where i can look if pf is down, so i can check
with SEC...?
thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
2007/9/15, Mel [EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
Agus wrote:
2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED]
2007/9/17, Goltsios Theodore [EMAIL PROTECTED]:
Well I think that you mean to add this:
ext_if=rl0 # Or whatever your interface is ifconfig helps to find out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if
port ssh
or even:
ext_if=rl0
external_addr=192.168.1.11
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
Think of macros as variables. As long as you don't define them they don't
exist (are empty).
I knowTheodore, i've done it exactly like u put itfirst declare macros
and then the rule
but i couldn't block access to the machinethis rule is supposed to block
all access to port 22 on the machine coming from 192.168.0.1but I can
access from there...
i checked pfctl -e
pfctl -sa
and everything seems to be loaded...
Thanks...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
On Mon, Sep 17, 2007 at 11:30:03PM -0300, Agus wrote:
Agus wrote:
2007/9/15, Mel [EMAIL PROTECTED] [EMAIL PROTECTED]:
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block
the
IP...
So what i need is the command to block an IP address from command line,
not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Hi,
I put this on /etc/pf.conf
external_addr=192.168.1.11 which is the address of the only interface.
This machine isn't a router.
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
but when i try to connect from 192.168.0.1 i connect with no problems...this
rule is to block access..
What am i doing wrong..is my first time with pf...
Thankss...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED] [EMAIL PROTECTED]
2007/9/17, Goltsios Theodore [EMAIL PROTECTED]:
Well I think that you mean to add this:
ext_if=rl0 # Or whatever your interface is ifconfig helps to find out
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to $ext_if
port ssh
or even:
ext_if=rl0
external_addr=192.168.1.11
block drop in quick on $ext_if inet proto tcp from 192.168.0.1 to
$external_addr port ssh
Think of macros as variables. As long as you don't define them they don't
exist (are empty).
I knowTheodore, i've done it exactly like u put itfirst declare macros
and then the rule
but i couldn't block access to the machinethis rule is supposed to block
all access to port 22 on the machine coming from 192.168.0.1but I can
access from there...
i checked pfctl -e
pfctl -sa
and everything seems to be loaded...
Thanks...
Are you sure that you're trying to block only from a specific host?
The source address shouldn't change, even if you're doing nat. I
would assume that you'd want an 'any' keyword there, rather than a
specific IP address.
Also, you can add hosts to the table automatically based on number of
connections over a given period of time:
block quick from blackhole
pass on $ext_if inet proto tcp from any to $myip port 22 flags S/SA keep state
(max-src-conn-rate 5/30, overload blackhole flush global)
The first rule blocks hosts from the blackhole table. The second adds
hosts to the blackhole table and kills their state if they connect
more than 5 times in 30 seconds. This is obviously tunable-- 3/30
would be 3 connections in 30 seconds, and 8/60 would be 8 connections
in 60 seconds.
Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
How to add rule with pfctl...
Hi list, I am trying to figure out how to add a firewall rule with pfctl... This is what i'm trying to do... I've got SEC that matches certain pattern and takes the IP from that and want to trigger a firewall rule to block that IP Then after a couple of hours SEC will trigger the command to un-block the IP... So what i need is the command to block an IP address from command line, not touching any pf.conf I've done it with iptables but i can't get it with pf.Hope u understand what i am trying to say... Thanks and have a nice weekend... Agustin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to add rule with pfctl...
On Saturday 15 September 2007 23:18:17 Agus wrote:
I am trying to figure out how to add a firewall rule with pfctl...
This is what i'm trying to do...
I've got SEC that matches certain pattern and takes the IP from that and
want to trigger a firewall rule to block that IP
Then after a couple of hours SEC will trigger the command to un-block the
IP...
So what i need is the command to block an IP address from command line, not
touching any pf.conf
If you don't need to add a rule but an IP, then tables are your friend.
Example for /etc/pf.conf:
# Placeholder for spammers table, non-routable network IP.
table spammers persist { 192.168.111.111 }
# Block this traffic
block return-rst in log on $ext_if proto tcp from spammers port smtp
Then on the command line:
/sbin/pfctl -t spammers -Tadd ip.from.new.spammer
And to delete:
/sbin/pfctl -t spammers -Tdel ip.from.old.spammer
--
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
