View Full Version : [Help 7.2] Firewall to block all non-German IP's
IgorGlock
February 19th, 2010, 20:29
Hello together!
I'm from germany and I have some problems witch "denal of service" to my SSH and many other TCP/UDP Ports from other countries :\
Who know a Firewall to block them? :f
Ruler2112
February 19th, 2010, 20:36
There was a discussion on this not too long ago. There's a site that keeps lists of IP address ranges assigned to different countries - you basically just create a table and block the addresses in it with pf.
IgorGlock
February 19th, 2010, 20:50
yeah...
but I'm 16 years old and I need help with them...
Site for ip rages: http://services.ce3c.be/ciprg/
Can you make a manual or give a site?
sorry my english is very bad :-)
Ruler2112
February 20th, 2010, 00:01
This post (http://forums.freebsd.org/showthread.php?t=10110) should help you out. The pf rules you want are in the first post. I also wrote a script (http://forums.freebsd.org/showpost.php?p=49726&postcount=23) that will keep the text file listing the IPs updated with whatever one you want on the internet.
IgorGlock
February 20th, 2010, 00:16
hmmn... that's not bad but it's not for me :D
how can I block all non-German ip's ... not how can I block bad ip's :-)
if one people from china like to join my teamspeak-server or my game-server he must get a block. (very bad english :( )
vivek
February 20th, 2010, 08:04
You need block all and than only allow German IPs. Share you existing pf.conf.
IgorGlock
February 20th, 2010, 10:32
my existing pf.conf:
*beep*
^ clean :\
tkjacobsen
February 20th, 2010, 14:27
The "TABLES" section in the pf.conf(5) man page explains how files can be used to list ip addresses.
Here's my own pf.conf modified for your needs:
tcp_services = "{ ssh }"
table <german> persist file "/etc/german"
set block-policy drop
set skip on lo
scrub in
block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
It basically blocks all incoming trafick except ssh from german ipaddresses listed in /etc/german. All outgoing traffic is also acceptet.
IgorGlock
February 20th, 2010, 17:35
thank you ver very mutch!
and how can I block all services? Not only SSH? "tcp_services = "{ ssh }"
?:stud
IgorGlock
February 20th, 2010, 18:54
EDiT: and how can I block all services? Not only SSH? :\
:e
DutchDaemon
February 20th, 2010, 19:44
Read that ruleset again. Everything is blocked, except ssh access from Germany.
IgorGlock
February 20th, 2010, 20:30
hmmn... and how can I allow port: 1337 for teamspeak server or GTA MTA server(gameserver)?
DutchDaemon
February 20th, 2010, 21:15
Add it to the tcp_services macro (if it's tcp, else create a udp_services macro and make a new rule) and reload the ruleset.
Don't ask how, it's all in the pf.conf manual, and in the FAQ (http://www.openbsd.org/faq/pf/index.html). Do your homework (that's what 16 year-olds are supposed to do ..).
IgorGlock
February 20th, 2010, 21:50
Is that right?
I like to open for only german ip's port: 27015(Counterstrike) + 1337(Teamspeak) + 22(SSH)
rc.conf
pf_enable="YES"
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"
pf1.conf:
tcp_services = "{ ssh }"
table <german> persist file "/etc/german"
set block-policy drop
set skip on lo
scrub in
block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
pf2.conf:
tcp_services = "{ 1337, 27015 }"
table <german> persist file "/etc/german"
set block-policy drop
set skip on lo
scrub in
block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
but my "/etc/german" file doesn't exist?! Can someone give me a examle?
Can I generate it witch http://services.ce3c.be/ciprg/ ?
DutchDaemon
February 20th, 2010, 22:12
Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it.
You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like 1.2.3.4 or 1.2.3.4/24. Ranges (1.2.3.4-1.2.3.5) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.
BTW, you can't do this:
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"
There can only be one of everything, or the second one will overrule the first one. In this case, only pf2.conf will be loaded, not pf1.conf.
IgorGlock
February 20th, 2010, 22:23
hmmn... and can you give me exmple for the "format" :\
sry if you can't understand "format"
is that right?
http://services.ce3c.be/ciprg/?countrys=GERMANY%2C&format=by+input&format2={startip}%0D%0A{endip}%0D%0A
DutchDaemon
February 20th, 2010, 22:42
No, that won't work. Format examples were given above. It's either one IP address per line (not workable with millions of IP addresses), or one cidr range per line (like 53.0.0.0/8, which is the first entry of that list, i.e. 53.0.0.0-53.255.255.255).
DutchDaemon
February 20th, 2010, 22:49
A bit of Googling turned this up:
http://www.countryipblocks.net/tag/cidr/
Choosing Germany and CIDR will give you a list you can put in a pf table without problems. I cannot vouch for the accuracy of this data.
IgorGlock
February 20th, 2010, 22:56
hmmmn... my IP: 84.163.*.*
but it it isn't there... :P :e:e :P
thank you :D
DutchDaemon
February 20th, 2010, 23:51
Ah, cidr (http://en.wikipedia.org/wiki/CIDR) is a new concept to you:
84.128.0.0/10 = 84.128.0.0 - 84.191.255.255
net-mgmt/cidr might help.
IgorGlock
February 21st, 2010, 00:18
hmmn... it doesn't work :r
My IP² is: 88.198.*.*
I have block this rage: 88.198.0.0/16 and after 1reboot I can use SSH :(
DutchDaemon
February 21st, 2010, 00:50
How are you blocking it? And why? You wanted German IPs to have access, right? That table <german> was used to allow access ('pass'), not block it. What does your ruleset look like? What does pfctl -sr look like? And why reboot when you can simply reload the ruleset?
IgorGlock
February 21st, 2010, 00:55
I like to test it witch my other PC witch other ip²
pfctl -sr :
No ALTQ support in kernel
ALTQ related functions disabled
and pfctl -F all -f /etc/pf2.conf :
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded
hehe: http://forums.freebsd.org/showpost.php?p=68957&postcount=2
IgorGlock
February 21st, 2010, 15:24
1 Question:
My LAN card supports ALTQ (realtek) but I don't know how can I install "options ALTQ" ;)
http://www.freebsd.org/cgi/man.cgi?query=altq&sektion=4
^ can't help me :\
sniper007
February 22nd, 2010, 13:31
http://www.openbsd.org/faq/pf/queueing.html
READ, READ, READ again and again
if you can't read freebsd is not for you
all of us need to read and study manuals and handbooks
DutchDaemon
February 22nd, 2010, 13:41
( in this case, you need to build your own kernel, because ALTQ is not in the GENERIC kernel -> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html )
sniper007
February 22nd, 2010, 14:37
Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it.
You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like 1.2.3.4 or 1.2.3.4/24. Ranges (1.2.3.4-1.2.3.5) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.
http://www.ipdeny.com/ipblocks/data/countries/de.zone
IgorGlock
February 22nd, 2010, 19:49
must I put option ALTQ in to: /boot/device.hints ?
Ruler2112
February 22nd, 2010, 21:03
rc.conf
pf_enable="YES"
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"
You should only have one pf_rules in your rc.conf.
pf.conf:
tcp_services = "{ ssh, 1337, 27015 }"
table <german> persist file "/etc/german"
set block-policy drop
set skip on lo
scrub in
block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
Notice how I've included ssh in the TCP services allowed through from the IPs in the german table...
but my "/etc/german" file doesn't exist?! Can someone give me a examle?
Can I generate it witch http://services.ce3c.be/ciprg/ ?
http://www.ipdeny.com/ipblocks/data/countries/de.zone
You need to somehow create the /etc/german file. It's a list of IP addresses in CIDR format, as DD indicated. This information could easily change over time as IP ranges are assigned/reassigned, so you'll probably want to update the file periodically. If you use the script I linked to in my second post, it'll fetch and update the firewall table for you automatically. (Just set the variables appropriately and set it up to run periodically.)
must I put option ALTQ in to: /boot/device.hints ?
I went through adding ALTQ (http://forums.freebsd.org/showthread.php?t=7219) to my kernel a few months ago - there are a couple really good posts in there that describe exactly what you need to do.
IgorGlock
February 22nd, 2010, 21:28
but: /usr/src/sys/i386/conf: No such file or directory.
:stud I hate this :D
Ruler2112
February 22nd, 2010, 21:31
but: /usr/src/sys/i386/conf: No such file or directory.
:stud I hate this :D
You probably didn't install source code with your system. Confirm with ls -l /usr/src - if empty, that's your problem. /usr/sbin/sysinstall will re-run the initial setup program. You can also use pkg_add to add the source packages from the CD/DVD.
IgorGlock
February 22nd, 2010, 21:57
hmn... and what of command can help me? "pkg_add source code" but it doesn't wort :D
I know I'm stupid! :\
Ruler2112
February 22nd, 2010, 22:28
Check out the handbook (http://www.freebsd.org/doc/handbook/kernelconfig-building.html).
DutchDaemon
February 23rd, 2010, 15:34
Igor, you're currently trying to climb Mount Everest in your shorts, and you're setting yourself up for a totally nuked system if you go on like this.
Do you think that the ALTQ message you saw was some type of error, and that you MUST install ALTQ to get rid of it? You don't. It's not an error. If you don't need outbound traffic queueing, leave your system alone.
If your only open port on the Internet side is ssh, install one of the bruteforce-blocker ports, and set your PF to pass everything out, and nothing but ssh in (forget about the /etc/german stuff too). Let the bruteforce-blocker do the rest by adjusting a PF table all by itself.
security/sshguard-pf
security/bruteforceblocker
security/sshit
IgorGlock
February 23rd, 2010, 17:07
of course can I install + build my "Custom Kernel" and now I get other error...
# pfctl -F all -f /etc/pf2.conf
rules cleared
nat cleared
0 tables deleted.
altq cleared
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded
What is wrong?
here my config file:
tcp_services = "{ 21075, 1337, 3306 }"
table <german> persist file "/etc/german"
set block-policy drop
set skip on lo
scrub in
block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
Line 12? ....
DutchDaemon
February 23rd, 2010, 17:24
Hit [enter] after pass out.
IgorGlock
February 23rd, 2010, 18:21
hmmn.. it work's now but...
I have services "ssh". I changed my port and now I can't connect ... :-( but it's okey... I have a backup from MySQL DB :D
IgorGlock
February 23rd, 2010, 22:59
1 Question!
If I like to block only port 1337 & 21075 for NonGerman IPs ... how can I do that?
DutchDaemon
February 24th, 2010, 00:00
Something like block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 } might work.
IgorGlock
February 24th, 2010, 13:39
Something like block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 } might work.
Like this?
pf1.conf:
table <german> persist file "/etc/german"
block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }
pass out
is that right? :\ ;)
DutchDaemon
February 24th, 2010, 14:18
That's right. Note that you're allowing everything else from anywhere else.
paean
February 25th, 2010, 17:27
I don't normally do this, but I just can't help myself anymore.
IgorGlock: I have to give you credit... you are a persistent fellow. Reading this thread is like watching Muhammad Ali trying to solve a rubix cube.
When (note I didn't say "If") you get pf selectively denying all non-german IPs, I hope you will continue to pursue a broader understanding of how FreeBSD operates.
And for DD's sanity, hopefully you're able to learn much of that from the Handbook. ( =
\\ Final note: you won't feel stupid if you learn the basics before you start asking tough questions. Go easy on yourself. ( ;
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
0