Greetings all,
I have very successfully been using OpenBSD 4.5 to manage both our
corporate firewall as well as the firewall in our production gaming
environment. However recently I have been given the task from the home
office to do some basic regional IP blocking. Great thinks I, I will
create a table and at the same time create an extra table for the IP's
of spammers and users whom we want to keep out of our game.
So in my pf.conf I created two tables:
table <blocked_ip> persist file "/etc/blocked_ip"
table <asian_ip> persist file "/etc/blocked_asian_ip"
blocked_ip is the table for the occasional user we want to boot, and
blocked_asian_ip is a list of ip nets in select asian countries that we
want to disallow. Right now blocked_asian_ip is empty and blocked_ip
looks like this:
220.249.167.192
208.43.3.90
123.128.151.190
60.217.150.82
98.126.4.99
74.222.14.10
60.217.153.214
222.135.105.242
114.108.128.220
71.137.134.82
174.139.11.22
121.156.65.187
210.118.194.65
Nothing looks wrong so far to me. So then I added a block in quick rule
in my pf.conf to blackhole these tables of ip's. Here is my complete
pf.conf:
# macros
ext_if="vlan2"
int_if="vlan5"
slbnet_if="vlan3"
adminnet_if="vlan4"
# service groups
priv_tcp_services="{ 8020 }"
sql_port="{ 1433 }"
rdp_services="{ 3389 }"
icmp_types="echoreq"
crm_ports="{80 443 8080}"
# These are IP's that are allowed full access
trusted_hosts="{24.16.115.5 203.238.151.208 203.238.151.216
203.238.151.210 203.238.151.217 67.18.69.66 222.110.172.248
76.121.252.154 71.121.162.98 98.117.116.77}"
payment_gateway="{66.211.168.126 217.22.128.136 217.22.128.227
207.46.232.182 128.30.52.170 128.30.52.38 128.30.52.51 128.30.52.52
128.30.52.53 128.30.52.54 128.30.52.166 128.30.52.168 216.167.121.109}"
# internal private hosts
ad1="10.1.0.10"
sql1="10.1.1.1"
sql2="10.1.1.2"
sql3="10.1.1.3"
sql4="10.1.1.4"
mirsrv1="10.3.2.1"
mirsrv2="10.3.2.2"
mirsrv3="10.3.2.3"
mirsrv4="10.3.2.4"
webbill="10.3.2.20"
webbillms="10.1.2.20"
billtest="10.3.2.21"
crm="10.1.2.21"
billadmin="10.3.2.22"
web1="10.3.1.1"
web2="10.3.1.2"
sql5="10.1.1.5"
web3="10.3.1.3"
monitor1="10.1.0.20"
# banned IP addresses
table <testgeoff> persist
table <blocked_ip> persist file "/etc/blocked_ip"
table <asian_ip> persist file "/etc/blocked_asian_ip"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on $slbnet_if from $trusted_hosts -> ($slbnet_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# Temporary remote connections for RDP from the Korean offices
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4100
-> $sql1 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4101
-> $sql2 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4102
-> $sql3 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4103
-> $sql4 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4104
-> $mirsrv1 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4105
-> $mirsrv2 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4106
-> $mirsrv3 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4107
-> $mirsrv4 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4108
-> $webbill port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4109
-> $webbillms port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4110
-> $billtest port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4111
-> $crm port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4112
-> $billadmin port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4113
-> $web1 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4114
-> $web2 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4115
-> $sql5 port 3389
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 4116
-> $web3 port 3389
# Temporary remote connections for SQL from the Korean offices
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5100
-> $sql1 port 1433
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5101
-> $sql2 port 1433
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5102
-> $sql3 port 1433
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5103
-> $sql4 port 1433
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5104
-> $billtest port 1433
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.5 port 5105
-> $sql5 port 1433
# Redirects for the MIR game apps
rdr on $ext_if proto tcp from any to 66.150.173.6 port 7000 -> $mirsrv1
rdr on $ext_if proto tcp from any to 66.150.173.6 port 7100 -> $mirsrv4
rdr on $ext_if proto tcp from any to 66.150.173.6 port {7200 7201 7202
7203 7204 7205} -> $mirsrv4
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.10 port 80 ->
$crm port 80
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.10 port 443
-> $crm port 443
rdr on $ext_if proto tcp from $trusted_hosts to 66.150.173.10 port 8080
-> $crm port 8080
# filter rules
block in log
block in log quick from <blocked_ip> to any
block in log quick from <asian_ip> to any
block in log quick from <testgeoff> to any
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
# Rules to pass in on the external interface for local services
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$priv_tcp_services flags S/SA keep state
#
# Rules to pass in for rdr rules
#
pass in on $ext_if inet proto tcp from $trusted_hosts to $crm port
$crm_ports flags S/SA keep state
pass in on $ext_if inet proto tcp from $trusted_hosts to {$sql1 $sql2
$sql3 $sql4 $mirsrv1 $mirsrv2 $mirsrv3 $mirsrv4 $webbill $webbillms
$billtest $crm $billadmin $web1 $web2 $sql5 $web3} port 3389 keep state
pass in on $ext_if inet proto tcp from $trusted_hosts to {$sql1 $sql2
$sql3 $sql4 $billtest $sql5} port 1433 keep state
pass in on $ext_if inet proto {tcp udp} from any to $mirsrv1 port 7000
flags S/SA keep state
pass in on $ext_if inet proto {tcp udp} from any to $mirsrv4 port {7100
7200 7201 7202 7203 7204 7205} flags S/SA keep state
#
# Rules inbound for the slbnet
#
pass in on $slbnet_if from 10.3.0.0/16 to {$ad1 $monitor1} keep state
pass in on $slbnet_if inet proto tcp from 10.3.0.0/16 to {$sql1 $sql2
$sql3 $sql4 $sql5 $billtest} port $sql_port keep state
pass in on $slbnet_if inet proto {tcp udp} from 10.3.0.0/16 to
$webbillms port {21001 21011} keep state
pass in on $slbnet_if inet proto udp from $mirsrv3 to $sql2 port 10001
keep state
pass in on $slbnet_if inet proto tcp from $billtest to 192.168.16.46
port 1433 keep state
# Allow in certain ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# Allow traffic from the internal network to make any connection to the
outside world.
# this rule needs to be deleted in next change request as redundant
pass in on $int_if from 10.1.0.0/16 to 10.3.0.0/16 keep state
pass in quick on $int_if
However when I go to add an additional IP to the table, nothing happens.
I append the address to the blocked_ip file, then I issue "pfctl -f
/etc/pf.conf". I can see via tcpdump quite clearly that a given user, in
this case 114.108.128.220, is allowed in through the firewall. And if I
test for the the IP:
sudo pfctl -t blocked_ip -T test 114.108.128.220
1/1 addresses match.
So what gives? Do I need to do something additional to get it to reload
all the table information?
Thanks everyone.
Geoff Sweet
Operations Engineer
WeMade Entertainment USA.
