Peter wrote:
--- Forrest Aldrich <[EMAIL PROTECTED]> wrote:
My pf.conf is below.
I have this idiot at 24.147.135.133 who has been attempting to break my
webserver for about a week - presumably he's running some script. Port
80 of his machine has an impressive MP3 collection.
Comcast doesn't care, so my reports have been unheard.
I have rules to block this /24, but he manages to get through anyway.
First, I block via a negation to the <abuse> table, second I have an
explicit block rule to block all traffic from anyone in that table.
Since the block rule comes first before the "pass" rule below, I would
presume it would work.
I can match it in the table, it's there.
Can anyone tell me what's wrong with the rules so I can correct this
ASAP.
Thank you.
ext_if = "fxp0"
int_if = "em0"
prv_if = "em0"
server = "192.168.1.2/32"
ext_ad = "xx.xx.xx.xx/32"
prv_ad = "192.168.1.2/32"
prv_net = "192.168.1.0/24"
tcp_services = "imap, imaps, smtp, smtps"
set require-order yes
set limit { frags 30000, states 25000 }
set block-policy drop
set optimization normal
set timeout tcp.first 20
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
table <badips> persist file "/etc/pf.d/spammers" \
file "/etc/pf.d/abuse" \
file "/etc/pf.d/geoip"
table <spammers> persist file "/etc/pf.d/spammers"
*
table <abuse> persist file "/etc/pf.d/abuse"*
table <geoip> persist file "/etc/pf.d/spammers"
scrub all reassemble tcp no-df
scrub in all fragment reassemble
scrub out all random-id
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \
port { $tcp_services } -> $server
*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
port 80 -> $server port 80*
*rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
port 443 -> $server port 443*
antispoof quick for $ext_if
set skip on lo0
block log all
*block in quick on $ext_if from <abuse> to any*
block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps,
imap, imaps }
pass quick on $int_if inet all keep state
pass in on $ext_if inet proto tcp from any to any port { $tcp_services }
\
modulate state
pass in on $ext_if inet proto tcp from any to any port { 80, 443 }
modulate state
pass in on $ext_if inet proto udp all keep state
pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max
32)
pass out quick on $ext_if inet proto tcp all \
keep state
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
From the info you have provided I can't see how connections can be
established from the bad IP address. Have you reset pf to actually use
the config (pfctl -f )? If you have, can you provide actual output of
pfctl -sn
pfctl -sr
--
Peter
Yes, I cleared the rules and reset - reloaded, etc.
Here is the output of the above (thanks):
# pfctl -sn
nat on fxp0 inet from 192.168.1.0/24 to any -> (fxp0) round-robin
rdr on fxp0 inet proto tcp from ! <badips> to (fxp0) port = imap ->
192.168.1.2
rdr on fxp0 inet proto tcp from ! <badips> to (fxp0) port = imaps ->
192.168.1.2
rdr on fxp0 inet proto tcp from ! <badips> to (fxp0) port = smtp ->
192.168.1.2
rdr on fxp0 inet proto tcp from ! <badips> to (fxp0) port = smtps ->
192.168.1.2
rdr on fxp0 inet proto tcp from ! <abuse> to (fxp0) port = http ->
192.168.1.2 port 80
rdr on fxp0 inet proto tcp from ! <abuse> to (fxp0) port = https ->
192.168.1.2 port 443
# pfctl -sr
scrub all no-df reassemble tcp fragment reassemble
scrub in all fragment reassemble
scrub out all random-id fragment reassemble
block drop in quick on ! fxp0 inet from 24.147.44.0/22 to any
block drop in quick inet from 24.147.44.26 to any
block drop log all
block drop in quick on fxp0 from <abuse> to any
block drop in quick on fxp0 proto tcp from <badips> to any port = smtp
block drop in quick on fxp0 proto tcp from <badips> to any port = smtps
block drop in quick on fxp0 proto tcp from <badips> to any port = imap
block drop in quick on fxp0 proto tcp from <badips> to any port = imaps
pass quick on em0 inet all keep state
pass in on fxp0 inet proto tcp from any to any port = imap modulate state
pass in on fxp0 inet proto tcp from any to any port = imaps modulate state
pass in on fxp0 inet proto tcp from any to any port = smtp modulate state
pass in on fxp0 inet proto tcp from any to any port = smtps modulate state
pass in on fxp0 inet proto tcp from any to any port = http modulate state
pass in on fxp0 inet proto tcp from any to any port = https modulate state
pass in on fxp0 inet proto udp all keep state
pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state
(max 32)
pass out quick on fxp0 inet proto tcp all keep state
pass out quick on fxp0 inet proto udp all keep state
pass out quick on fxp0 inet proto icmp all icmp-type echoreq code 0 keep
state
