Ahoj,
Hezky mate ten pf, hned to jdu zkusim pro SSH. Jeste jsem asi dvakrat
vyuzil resolving. kdyz se hosti bid meni anebo jse jinde jini, takle
je pf + jak to dopadne s pfctl:
root@sol06fm1d01(pts/14) /root # grep -Evx '[[:blank:]]*([#;].*)?'
/etc/firewall/pf-test.conf
ext_if = "pub0"
nfs_ports = "{ 111 2049 }"
table <dns:nfs_hosts> { km03v16pl01.zit.commerzbank.com }
no_state = "flags any no state"
block drop in log on $ext_if proto { tcp udp } from <dns:nfs_hosts>
port $nfs_ports to ($ext_if) $no_state
block drop out log on $ext_if proto { tcp udp } from ($ext_if) to
<dns:nfs_hosts> port $nfs_ports $no_state
root@sol06fm1d01(pts/14) /root # pfctl -vvvnf /root/pf.conf
Loaded 710 passive OS fingerprints
set reassemble yes no-df
set skip on { lo0 }
ext_if = "pub0"
nfs_ports = "{ 111 2049 }"
table <dns:nfs_hosts> { 140.27.24.92 }
no_state = "flags any no state"
@0 block drop in proto tcp from any to any port = 12302
@1 pass in inet proto tcp from 140.39.9.71 to any port = 12302 flags S/SA
@2 pass in inet proto tcp from 140.39.9.72 to any port = 12302 flags S/SA
@3 block drop in log (to pflog0) on pub0 proto tcp from
<dns:nfs_hosts:0> port = 111 to (pub0:*)
@4 block drop in log (to pflog0) on pub0 proto tcp from
<dns:nfs_hosts:0> port = 2049 to (pub0:*)
@5 block drop in log (to pflog0) on pub0 proto udp from
<dns:nfs_hosts:0> port = 111 to (pub0:*)
@6 block drop in log (to pflog0) on pub0 proto udp from
<dns:nfs_hosts:0> port = 2049 to (pub0:*)
@7 block drop out log (to pflog0) on pub0 proto tcp from (pub0:*) to
<dns:nfs_hosts:0> port = 111
@8 block drop out log (to pflog0) on pub0 proto tcp from (pub0:*) to
<dns:nfs_hosts:0> port = 2049
@9 block drop out log (to pflog0) on pub0 proto udp from (pub0:*) to
<dns:nfs_hosts:0> port = 111
@10 block drop out log (to pflog0) on pub0 proto udp from (pub0:*) to
<dns:nfs_hosts:0> port = 2049
kdyz tak me preskocte, pokud je to obecne znamo.
pekny vikend
Many Regards
Jan Jurák
Many Regards
Jan Jurák
On Sun, Jun 6, 2021 at 1:31 PM Frantisek Hennel
<[email protected]> wrote:
>
> Velka vdaka, moc ste mi pomohli. PF sice pouzivam na taketo jednoduche
> blokovanie niekolko rokov, ale syntax zial nepoznam. Zial v manuali som
> naozaj taketo zakladne priklady nenasiel. A pritom, toto sa da pouzivat
> elegantne aj na SSH, takze cakal by som, ze takychto prikladov najdem na
> internete vela.
>
> Frantisek
>
> ne 6. 6. 2021 o 12:18 Marián Černý <[email protected]> napísal(a):
>
> > Frantisek Hennel wrote:
> > >
> > > Dakujem za pomoc, ale nefunguje mi to.
> > >
> > > pass in quick on $ext_if from 10.1.1.0/24 to ($ext_if) port 3306
> > > /etc/pf.conf:4: port only applies to tcp/udp
> >
> > Sorry, chýba tam "proto tcp”.
> >
> > pass in quick on $ext_if proto tcp from 10.1.1.0/24 to ($ext_if) port 3306
> > block drop in log (all) quick on $ext_if proto tcp from any to ($ext_if)
> > port 3306
> >
> > Alebo v jednom pravidle, ako to písal schrodinger:
> >
> > block drop in log (all) quick on $ext_if proto tcp from ! 10.1.1.0/24 to
> > ($ext_if) port 3306
> >
> > (alebo zjednodušene:)
> >
> > block in log quick on $ext_if proto tcp from ! 10.1.1.0/24 to any port
> > 3306
> >
> > Marián
> > --
> > FreeBSD mailing list ([email protected])
> > http://www.freebsd.cz/listserv/listinfo/users-l
> >
> --
> FreeBSD mailing list ([email protected])
> http://www.freebsd.cz/listserv/listinfo/users-l
--
FreeBSD mailing list ([email protected])
http://www.freebsd.cz/listserv/listinfo/users-l
