Hello,

I have a firewall configured to have a table with IPs that should be blocked and dropped.

But when I use tcptrack, I can see all the connections:

189.41.221.78:57042 67.43.230.251:7004 SYN_SENT 14s 0 B/s
189.60.153.48:64299 67.43.230.251:7004 SYN_SENT 3s 0 B/s
189.41.221.78:57091 67.43.230.251:7004 SYN_SENT 8s 0 B/s
189.60.153.48:64311 67.43.230.251:7004 SYN_SENT 1s 0 B/s
189.41.221.78:57013 67.43.230.251:7004 SYN_SENT 26s 0 B/s
189.60.153.48:64274 67.43.230.251:7004 SYN_SENT 12s 0 B/s

and a lot more.

This should be dropped, but even with the rules I have my server sends the SYN.

The rule that seems not to be working is:

block drop in quick on $externa from <vlwc>

Shouldn't it drop the connections from the IPs, as soon as they connect to the server?

I don't know if I am doing something wrong.

antispoof quick for $externa inet

table <sshbf> persist
table <vlwc> persist
table <www> persist

# ACESSO A TUDO (BERNARDO)
pass in quick on $externa inet proto { tcp,udp,icmp } from 201.86.64.72 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 201.86.64.72 synproxy state

block in all
block out all

# ACESSO AO MIBBIT
pass in quick on $externa inet proto { tcp,udp,icmp } from 207.192.75.252 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 207.192.75.252 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 64.62.228.82 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 64.62.228.82 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 109.169.29.95 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 109.169.29.95 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 78.129.202.38 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 78.129.202.38 synproxy state

block drop in quick on $externa from <sshbf>
block drop in quick on $externa from <vlwc>
block drop in quick on $externa from <www>

block drop in quick on $externa proto { tcp,udp } from 201.62.188.29 to any
block drop in quick on $externa proto { tcp,udp } from any to 67.43.226.174

pass in quick on $externa inet proto { tcp,udp } from any to any port 1935
pass out quick on $externa inet proto { tcp,udp } from any to any port 1935

pass in quick on $externa inet proto { tcp,udp,icmp } from 187.112.66.222 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 187.112.66.222

# SELENA
pass in quick on $externa inet proto { tcp,udp,icmp } from 189.107.20.189 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 189.107.20.189

pass in quick on $externa inet proto { tcp,udp,icmp } from 72.20.41.159 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 72.20.41.159

But when I use tcptrack, I can see all the connections:

189.41.221.78:57042 67.43.230.251:7004 SYN_SENT 14s 0 B/s
189.60.153.48:64299 67.43.230.251:7004 SYN_SENT 3s 0 B/s
189.41.221.78:57091 67.43.230.251:7004 SYN_SENT 8s 0 B/s
189.60.153.48:64311 67.43.230.251:7004 SYN_SENT 1s 0 B/s
189.41.221.78:57013 67.43.230.251:7004 SYN_SENT 26s 0 B/s
189.60.153.48:64274 67.43.230.251:7004 SYN_SENT 12s 0 B/s

No, all you are seeing is the machine itself sending the SYN packet. Even when it's blocked by the firewall the application/OS will still send out a SYN. Because it's blocked this SYN packet will get silently dropped by the firewall and never reach it's destination. The application/OS however doesn't know this and will wait for the SYN-ACK until it times out. If you really want to "kill" the connection you'll need to return a RST packet. The application/OS will receive the RST and tear down the connection attempt.


block return-rst in quick on $externa inet proto tcp from <vlwc>

Obviously this only works for TCP connections. For UDP you'll need to return an ICMP port unreachable.