Problems with BLOCK an RDR/tables not working...

Mon, 26 Dec 2005 13:21:32 -0800 

My pf.conf is below.
I have this idiot at 24.147.135.133 who has been attempting to break my webserver for about a week - presumably he's running some script. Port 80 of his machine has an impressive MP3 collection. 

Comcast doesn't care, so my reports have been unheard.


I have rules to block this /24, but he manages to get through anyway.   
First, I block via a negation to the <abuse> table, second I have an 
explicit block rule to block all traffic from anyone in that table.



Since the block rule comes first before the "pass" rule below, I would 
presume it would work.


I can match it in the table, it's there.

Can anyone tell me what's wrong with the rules so I can correct this ASAP.


Thank you.


ext_if = "fxp0"
int_if = "em0"
prv_if = "em0"
server = "192.168.1.2/32"
ext_ad = "xx.xx.xx.xx/32"
prv_ad = "192.168.1.2/32"
prv_net = "192.168.1.0/24"


tcp_services = "imap, imaps, smtp, smtps"


set require-order yes
set limit { frags 30000, states 25000 }
set block-policy drop
set optimization normal


set timeout tcp.first 20
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }



table <badips> persist file "/etc/pf.d/spammers" \
   file "/etc/pf.d/abuse" \
   file "/etc/pf.d/geoip"

table <spammers> persist file "/etc/pf.d/spammers"
*
table <abuse> persist file "/etc/pf.d/abuse"*

table <geoip> persist file "/etc/pf.d/spammers"


scrub all reassemble tcp no-df
scrub in all fragment reassemble
scrub out all random-id




nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \
   port { $tcp_services } -> $server

*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
   port 80 -> $server port 80*

*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
   port 443 -> $server port 443*



antispoof quick for $ext_if

set skip on lo0

block log all
*block in quick on $ext_if from <abuse> to any*

block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps, 
imap, imaps }


pass quick on $int_if inet all keep state


pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \
   modulate state


pass in on $ext_if inet proto tcp from any to any port { 80, 443 } 
modulate state




pass in on $ext_if inet proto udp all keep state

pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max 32)


pass out quick on $ext_if inet proto tcp all \
   keep state

pass out quick on $ext_if inet proto udp all keep state

pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state


























					Reply via email to