packet filter

I've always used route add to instantly BLACKHOLE malicious incoming IP addresses, which works fine (apache's not installed....so I don't believe .htaccess is an option): But the BLACKHOLING only lasts 'til the next reboot and/or network restart. In addition, I need a way to BLACKHOLE new IPs...

I have a FreeBSD router where NAT is configured using PF, the NAT is working for ICMP and UDP, but not for TCP, whenever a TCP connection is attempted, I can see, from the PC in the LAN, the SYN packet going out and the SYN ACK packet coming in, but the client (web browser, ssh or whatever)...

I serve a website with Caddy from within a VNET jail. Instead of allowing the Caddy user (www) to bind to port 443, I use a redirect rule in pf: pass in quick on $ext_if proto tcp from $lan_net to ($ext_if) port 443 rdr-to $caddyjail port 8443 Caddy supports HTTP/3 by default, and sends the...

The principle of least privilege can be defined as “A security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.”, and in the context of FreeBSD jails, this is where it really...

Hello, is this kind of setup even possible: vServer (HOST): has a jail where Caddy runs. Host and Caddy are connected via epair0a and epai0b /30 subnet. A pf rule is set up on the host that forwards all traffic to Caddy. I have another jail called chat. It is connected to Caddy via epair1a and...

A quick note for those who don't already know that a new edition(the 4th) of "The Book of PF" is coming, the 3rd edition was 10 years ago. For now it's only available for pre-order, so we can probably expect an official release soon. What is nice about it, is the fact that the author has been...

Hello fellow FreeBSD users. I'm new to BSD but I've been using Linux for quite a while. So my issue is that I can't seem to ping my freeBSD machine from other computers connected to the same lan. My machine has a fresh install and not much has been changed configuration wise. I've been trying...

Hello. I'm trying to set up policy based routing with pf. Here is my routing rule: pass in log (all) quick on { $lan_if $guest_if } route-to {$vps_tun $vps_gw} from any to 104.21.67.120 here is my nat rule: nat log (all) on $vps_tun from any to 104.21.67.120 -> ($vps_tun) it turns into...

SSHGuard in combination with pf on FreeBSD 14.0-RELEASE (fresh vanilla installation on Hetzner VPS) is behaving strangely. After starting, it either terminates immediately or after some variable time, indicating a potential issue with pf. Below are the details: System Info: FreeBSD myserver...

Hi, I have a software that deploys a DNS forwarder and uses PF to redirect local DNS requests to the forwarder. All of sudden this schema stopped working and I am trying to figure out what could be the problem. I am troubleshooting the issue and trying to verify every piece. My question is...

Hi mates! During the boot my FreeBSD box start PF earlier than wg0 interface creates. Enabling pfno IP address found for wg0:network /etc/pf.conf:5: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded /etc/rc: WARNING: Unable to load /etc/pf.conf. . [#]...

Hi , i have FreeBSD router with 2 WAN and 1 LAN igb0 >> Modem0 > Default GW igb1 >> Modem1 in default my usual load balancing system like this: pass in log (all) quick on igb2 route-to { (igb0 192.168.20.221), (igb1 192.168.41.111) } round-robin inet all flags S/SA keep state label "lb"...

I'm using a fairly strict PF ruleset on a server and I am having trouble with updating the system. I have port 80 and 443 open (http and https respectively) but I get a "No address record" error when I try to update the repositories. I also have port 21 open in case it used ftp, but it...

Hi, i have trouble with Ipsec & pf enc0 nat problem . I show you my problematic scenerio below any help would be appreciated at this point STRONGSWAN CONFIGURATION alfa7000 { fragmentation = yes unique = replace version = 1 aggressive = no proposals...

Hi, guys! For a while I used for my whmcs setup composed by apache + mod_php as backend and nginx as reverse proxy. I was thinking i'm safe until someone with few proxies succeed to open enough connections and apache eaten whole amount of RAM (2GB). Any idea how to block this kind of...

Hi, I have to use both IPFW and PF sametime in my freebsd 12.2 gateway normally firewalls follows this order pf => ipfw as you now i am trying to do this order: input => ipfw => pf but i think i cannot change this order without touching kernel level . when i made some research i found this...

Hello. I have such a problem. I have FreeBSD 12.1-RELEASE router (with 3 interfaces) - LAN HOME(192.168.22.), LAN WORK(192.168.11.), WAN(1.2.3.4) My router connect to NordVPN over OpenVPN as a client (creates new TUN0 with address 10.8.0.3) I want now to nat only one host from LAN_HOME (...

I have remote FreeBSD server with name server inside jail. My rules are: ext_if="em0" ext_ip="X.X.X.X" jail_net="10.0.0.0/24" ns_ip="10.0.0.1" icmp_types = "echoreq" table <blacklist> persist file "/etc/pf/blacklist" table <trusted> persist file "/etc/pf/trusted" set block-policy drop set...

Hello friends, I need configure one new BSD with PF to resolve this scenario... [ISP]------bnx0[BSD]bnx4------{LAN 10.0.0.0/8} ISP IPv4 181.143.98.153/29 bnx0 Gateway 181.143.98.153 IPv4 181.143.98.157/29 <- ISP Public IP bnx4 IPv4 177.126.32.1/22 <- Our own pool of public's IP's alias...

The purpose of this post is to try and clarify a few basic ideas in packet filtering that I'm having trouble reducing to firm principles in practice. 0. PF lives in the kernel and handles all packets as they pass between NI(C)'s and daemons 1. Packets are identified by the NIC of origin and...