pf firewall

Hello Friends, I'm kinda new on FreeBSD firewall and i'm having some issues setting up a NFSv4 file server with a PF firewall. Every time I enable my firewall I get dropped from NFSv4. My pf.conf is very simple and it looks its working for both SSH and SMB but not for NFS: block in all pass...

I could use some help with a pf firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload. This works for ssh connections: table <bruteforce> persist block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22 pass in log on $ext_if inet proto tcp to...

Preface I'm posting this in the Networking forum, though it could possibly be more valid in the Firewall forum. Moderators please move if required. Executive Summary I'm having an issue with very poor performance in one particular direction through a Wireguard tunnel between two FreeBSD 13.1...

Hi there, I'm new to PF but want to dive deep into it, as it seems very handy and powerful:) When I was reading the man pages of pf.conf, I saw the following information: BLOCKING SPOOFED TRAFFIC "Spoofing" is the faking of IP addresses, typically for malicious purposes. The...

I do not have a static IP for my computer connected by fiber to home. My ISP assigns an IP address by DHCP, is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method...

I have this definition in /etc/pf.conf: table <WHITELIST> persist file "/var/db/pf/pf_white_list" When I add an address using pfctl I can see it is there: [root@gway04 ~ (master)]# pfctl -t WHITELIST -T add 72.140.215.253 1/1 addresses added. [root@gway04 ~ (master)]# pfctl -t WHITELIST -T...

# freebsd-version ; uname -a 13.0-RELEASE-p11 FreeBSD x 13.0-RELEASE-p11#0 Tue Apr 5 18:54:35 UTC 2022 root@amd64-builder.demonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 On this host I have sshd listening on this port: tcp 0 0 192.168.0.1.22...

Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to 1.2.3.4/32 user myuser -> 2.3.4.5 In the log message I can see that the uid is logged correctly...

Hi All , I need to audit the rules and settings of a FreeBSD firewall against best practice ""my first time", the client has sent me a text file . Is there a software I can use to make this analysis? If not, what is the best process for auditing this FreeBSD firewall? Thank you

Under FreeBSD 13, I'm using PF and it was working fine till today. I've a <whitelist> table that I suspect it's not really working with PF. Any IPs within that file (table <whitelist> persist file "/var/pf/whitelist.txt") seems still getting blocked by PF, as I see through real-time by the...

Hi, when I activate PF in my server, I cause connectivity to my jails to be blocked (even when it should not). With PF disabled, everything works. I am likely doing something stupid, but I need other eyes to look at it. My jails are bound to the only active interface igb0: root@host # ifconfig...

Hi there. I have a VPS running nginx as web server, local unbound, local maria-db and sshd. I'd be glad if anyone could confirm that I have no weird rule for the main server purposes I listed above and so that I'd continue studying PF. :) So this is my pf.conf (FreeBSD 13) (the table "f2b"...

Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers. Take the example of the 8.8.8.8 server. re0 is the network interface that connects to the router, also a FreeBSD box running a dns server. re0 is part of bridge10 as for vnet jails to have access...

Howdy, I recently started using pf (FreeBSD 13.0) as my home FW with very basic rules: lan="bge0" wan="bge1" set loginterface $wan set optimization normal set block-policy drop set skip on lo0 scrub on $wan all nat on $wan from $lan:network to any -> ($wan) block drop log all pass in on $lan...

Hello, I got some really valuable help earlier, improving pf rules for a web server, thanks again for that. I want to continue try making the life hard for some malicious beings out there. Example: tcpdump -n -e -ttt -r /var/log/pflog 00:00:03.008672 rule 16/0(match): block in on vmx0...

Hello, pf in FreeBSD is not my strongest side, is there anything I should improve (or anything missing) in our pf setup for a basic web server with low traffic? Thank you very much, ext_if="vmx0" me="11.22.33.44" good_tcp_ports="{ 33333,443,80,8080,25,22222 }" set skip on lo0 block in all...

Hello, For the past 3 weeks I have been testing PF firewall and so far so good except for the rules not loading automatically on reboot. I load the rules using pfctl -F all -f /etc/pf.conf and all works great. I did change my default kernel to accomodate altq I actually had to redo the kernel...

EDIT: 17MAR2021 I would like to make a quick note showing how I solved this. I actually noticed my mistake after reading reading this forum post. I never allowed my vm-bhyve interface vm-public through my firewall. Because my default setting is to simply block everything, my VMs weren't...

Hi all, Could somebody with some knowledge and experience have a look at my pf.conf before I start using it, to make sure I'm not doing anything stupid with it? I am using FreeBSD 12.2 on a laptop connected via wifi to my ISP router and the VPN provided for work. I am using OpenVPN and...

Hey guys, this is my first post here, I am hoping I respect all the rules of this wonderful forum. I am setting up some services, moving from Ubuntu to FreeBSD in my company. We have 3 environments: - Test: all services in one server - Acceptance: Database and Redis in one server, rest of...