> # tcpdump -e -ttt -ni pflog0 action block
>
> You will be able to see what exactly is being blocked :)
>
That's my problem, nothing seems blocked , tcpdump returns nothing about
my requests to reach the outside web.
I'm stuck.
Please find below my full pf.conf in case I missed something :
ext_if = "re0" # interface
tun_if = "tun0" # vpn
ssh_port = "2222" # port ssh
http_ports = "{ www https }" # ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }" # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop # bloque
silencieusement
set skip on lo # Pas de filtre
en local
set limit table-entries 400000
## tables pour les vilains bruteforceurs
table <ssh_abuse> persist
table <http_abuse> persist
table <mail_abuse> persist
# antispam avec greylisting
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
table <bgp-spamd-bypass> persist
## Traitement des paquets ##
match in all scrub (no-df) # Paquets partiels
block in quick from urpf-failed
## Les règles du parefeu ##
# on bloque tout par défaut
block log all
# on bloque les ip blacklistées
block in log quick proto tcp from <http_abuse> to any port $http_ports
block in log quick proto tcp from <ssh_abuse> to any port $ssh_port
# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from <nospamd> to any port smtp
pass in on $ext_if proto tcp from <spamd-white> to any port smtp
pass in quick on $ext_if proto tcp from <bgp-spamd-bypass> to any port
smtp
# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload <ssh_abuse> flush global)
# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload <http_abuse> flush)
# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload <mail_abuse> flush global)
# on autorise le ping
pass quick inet6 proto ipv6-icmp all icmp6-type { echoreq, unreach
}
pass quick inet proto icmp all icmp-type { echoreq, unreach
}
# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state
# vpn
pass in quick on $tun_if keep state
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp } all modulate state
Regards
--
/Thuban/
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
