--- Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> My pf.conf is below.
>
> I have this idiot at 24.147.135.133 who has been attempting to break my
> webserver for about a week - presumably he's running some script. Port
>
> 80 of his machine has an impressive MP3 collection.
>
> Comcast doesn't care, so my reports have been unheard.
>
> I have rules to block this /24, but he manages to get through anyway.
> First, I block via a negation to the <abuse> table, second I have an
> explicit block rule to block all traffic from anyone in that table.
>
> Since the block rule comes first before the "pass" rule below, I would
> presume it would work.
>
> I can match it in the table, it's there.
>
> Can anyone tell me what's wrong with the rules so I can correct this
> ASAP.
>
>
> Thank you.
>
>
> ext_if = "fxp0"
> int_if = "em0"
> prv_if = "em0"
> server = "192.168.1.2/32"
> ext_ad = "xx.xx.xx.xx/32"
> prv_ad = "192.168.1.2/32"
> prv_net = "192.168.1.0/24"
>
>
> tcp_services = "imap, imaps, smtp, smtps"
>
>
> set require-order yes
> set limit { frags 30000, states 25000 }
> set block-policy drop
> set optimization normal
>
>
> set timeout tcp.first 20
> set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
>
>
>
> table <badips> persist file "/etc/pf.d/spammers" \
> file "/etc/pf.d/abuse" \
> file "/etc/pf.d/geoip"
>
> table <spammers> persist file "/etc/pf.d/spammers"
> *
> table <abuse> persist file "/etc/pf.d/abuse"*
>
> table <geoip> persist file "/etc/pf.d/spammers"
>
>
> scrub all reassemble tcp no-df
> scrub in all fragment reassemble
> scrub out all random-id
>
>
>
>
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> rdr on $ext_if inet proto tcp from ! <badips> to ($ext_if) \
> port { $tcp_services } -> $server
>
> *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
> port 80 -> $server port 80*
>
> *rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
> port 443 -> $server port 443*
>
>
>
> antispoof quick for $ext_if
>
> set skip on lo0
>
> block log all
> *block in quick on $ext_if from <abuse> to any*
> block in quick on $ext_if proto tcp from <badips> to port { smtp, smtps,
>
> imap, imaps }
>
> pass quick on $int_if inet all keep state
>
>
> pass in on $ext_if inet proto tcp from any to any port { $tcp_services }
> \
> modulate state
>
> pass in on $ext_if inet proto tcp from any to any port { 80, 443 }
> modulate state
>
>
>
> pass in on $ext_if inet proto udp all keep state
>
> pass in on $ext_if inet proto icmp icmp-type 8 code 0 keep state (max
> 32)
>
>
> pass out quick on $ext_if inet proto tcp all \
> keep state
>
> pass out quick on $ext_if inet proto udp all keep state
>
> pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
>From the info you have provided I can't see how connections can be
established from the bad IP address. Have you reset pf to actually use
the config (pfctl -f )? If you have, can you provide actual output of
pfctl -sn
pfctl -sr
--
Peter
__________________________________________________________
Find your next car at http://autos.yahoo.ca
