Hi Guys, i'm trying to use this on my pf.conf
my pf.conf is
but i'm receiving
what am I exactly wrong? do I have to do anything else to declare the table? thank you
Code:
table <other-blocked> persist file "/root/geoblock.txt"
block in log quick on $ext_if from <other-blocked> to any
Code:
# Source and tutorial - https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/
# /usr/local/etc/pf.conf
#
## Set your public interface ##
ext_if="vtnet0"
## Set your server public IP address ##
#table <blockedips> persist file "/root/geoblock.txt"
ext_if_ip="IP"
## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
table <other-blocked> persist file "/root/geoblock.txt"
block in log quick on $ext_if from <other-blocked> to any
#table <spam> persist file "/root/geoblock.txt"
#block on fxp0 from <spam> to any
## Set http(80)/https (443) port here ##
webports = "{https}"
## enable these services ##
int_tcp_services = "{domain, https, ssh}"
int_udp_services = "{domain}"
#table counters file "/usr/local/etc/blocked/geoblock"
## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
### Set default policy ##
#block return in log all
#block out all
set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
## Blocking spoofed packets
antispoof quick for $ext_if
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22
# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq
# All access to our Nginx/Apache/Lighttpd Webserver ports
#pass proto tcp from any to $ext_if port $webports
# Allow essential outgoing traffic
#pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
# Add custom rules below
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)
#block drop in log (all) quick on $ext_if from <blockedips> to any
#block drop in on $ext_if from <list> to any
#pass in proto tcp from any to any port 3000
#pass in proto tcp from any to any port 3066
# create or touch /etc/pf.abusers
#table <abusers> persist file "/usr/local/etc/blocked/geoblock"
#table <ossec_fwtable> persist
#table <blocked_hosts> persist
# http://en.wikipedia.org/wiki/Reserved_IP_addresses
#table <blocked_nets> {
# 127.0.0.1/8, \
# 240.0.0.0/4 }
# vim: set ft=pf
Code:
Disabling pf.
Enabling pf/usr/local/etc/pf.conf:12: cannot define table other-blocked: Invalid argument
/usr/local/etc/pf.conf:32: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:39: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:40: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:41: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:42: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:43: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:49: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
what am I exactly wrong? do I have to do anything else to declare the table? thank you