pf firewall

  1. D

    PF NFSv4 vs PF

    Hello Friends, I'm kinda new on FreeBSD firewall and i'm having some issues setting up a NFSv4 file server with a PF firewall. Every time I enable my firewall I get dropped from NFSv4. My pf.conf is very simple and it looks its working for both SSH and SMB but not for NFS: block in all pass...
  2. L

    PF How to rate limit ping?

    I could use some help with a pf firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload. This works for ssh connections: table <bruteforce> persist block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22 pass in log on $ext_if inet proto tcp to...
  3. djbon2112

    Poor performance in one direction via Wireguard tunnel

    Preface I'm posting this in the Networking forum, though it could possibly be more valid in the Firewall forum. Moderators please move if required. Executive Summary I'm having an issue with very poor performance in one particular direction through a Wireguard tunnel between two FreeBSD 13.1...
  4. W

    PF sincerely ask for help about "lo0" settings

    Hi there, I'm new to PF but want to dive deep into it, as it seems very handy and powerful:) When I was reading the man pages of pf.conf, I saw the following information: BLOCKING SPOOFED TRAFFIC "Spoofing" is the faking of IP addresses, typically for malicious purposes. The...
  5. Sivan!

    Is there a way to "mask" a DHCP assigned IP address in a personal computer?

    I do not have a static IP for my computer connected by fiber to home. My ISP assigns an IP address by DHCP, is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method...
  6. byrnejb

    Solved Persistent TABLES

    I have this definition in /etc/pf.conf: table <WHITELIST> persist file "/var/db/pf/pf_white_list" When I add an address using pfctl I can see it is there: [root@gway04 ~ (master)]# pfctl -t WHITELIST -T add 1/1 addresses added. [root@gway04 ~ (master)]# pfctl -t WHITELIST -T...
  7. byrnejb

    PF Unable to establish ssh link to host running pf.

    # freebsd-version ; uname -a 13.0-RELEASE-p11 FreeBSD x 13.0-RELEASE-p11#0 Tue Apr 5 18:54:35 UTC 2022 amd64 On this host I have sshd listening on this port: tcp 0 0
  8. L

    PF pf nat rule for a specific user

    Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to user myuser -> In the log message I can see that the uid is logged correctly...
  9. D

    IPFW Auditing Firewall Rules and settings against best practise and security risk

    Hi All , I need to audit the rules and settings of a FreeBSD firewall against best practice ""my first time", the client has sent me a text file . Is there a software I can use to make this analysis? If not, what is the best process for auditing this FreeBSD firewall? Thank you
  10. K

    PF A weird PF whitelist problem

    Under FreeBSD 13, I'm using PF and it was working fine till today. I've a <whitelist> table that I suspect it's not really working with PF. Any IPs within that file (table <whitelist> persist file "/var/pf/whitelist.txt") seems still getting blocked by PF, as I see through real-time by the...
  11. lifepillar

    PF Issue with configuration blocking access to jails on ip aliases attached to external interface

    Hi, when I activate PF in my server, I cause connectivity to my jails to be blocked (even when it should not). With PF disabled, everything works. I am likely doing something stupid, but I need other eyes to look at it. My jails are bound to the only active interface igb0: root@host # ifconfig...
  12. K

    PF PF config suggestions - web server?

    Hi there. I have a VPS running nginx as web server, local unbound, local maria-db and sshd. I'd be glad if anyone could confirm that I have no weird rule for the main server purposes I listed above and so that I'd continue studying PF. :) So this is my pf.conf (FreeBSD 13) (the table "f2b"...
  13. L

    Solved Block queries to some nameservers

    Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers. Take the example of the server. re0 is the network interface that connects to the router, also a FreeBSD box running a dns server. re0 is part of bridge10 as for vnet jails to have access...
  14. S

    PF pf rule not being used

    Howdy, I recently started using pf (FreeBSD 13.0) as my home FW with very basic rules: lan="bge0" wan="bge1" set loginterface $wan set optimization normal set block-policy drop set skip on lo0 scrub on $wan all nat on $wan from $lan:network to any -> ($wan) block drop log all pass in on $lan...
  15. Aknot

    Solved Eventually they will find what they are looking for (setting up fail2ban with pf)

    Hello, I got some really valuable help earlier, improving pf rules for a web server, thanks again for that. I want to continue try making the life hard for some malicious beings out there. Example: tcpdump -n -e -ttt -r /var/log/pflog 00:00:03.008672 rule 16/0(match): block in on vmx0...
  16. Aknot

    Solved Improve rules for a web server (newbie about pf)

    Hello, pf in FreeBSD is not my strongest side, is there anything I should improve (or anything missing) in our pf setup for a basic web server with low traffic? Thank you very much, ext_if="vmx0" me="" good_tcp_ports="{ 33333,443,80,8080,25,22222 }" set skip on lo0 block in all...
  17. T

    Solved PF Packet Filter not loading rules on reboot manual required

    Hello, For the past 3 weeks I have been testing PF firewall and so far so good except for the rules not loading automatically on reboot. I load the rules using pfctl -F all -f /etc/pf.conf and all works great. I did change my default kernel to accomodate altq I actually had to redo the kernel...
  18. B

    bhyve No Network Connection From bhyve Guest With PF Enabled

    EDIT: 17MAR2021 I would like to make a quick note showing how I solved this. I actually noticed my mistake after reading reading this forum post. I never allowed my vm-bhyve interface vm-public through my firewall. Because my default setting is to simply block everything, my VMs weren't...
  19. N

    PF PF firewall pf.conf Review

    Hi all, Could somebody with some knowledge and experience have a look at my pf.conf before I start using it, to make sure I'm not doing anything stupid with it? I am using FreeBSD 12.2 on a laptop connected via wifi to my ISP router and the VPN provided for work. I am using OpenVPN and...
  20. jjbigorra

    NGINX on several jails or on host?

    Hey guys, this is my first post here, I am hoping I respect all the rules of this wonderful forum. I am setting up some services, moving from Ubuntu to FreeBSD in my company. We have 3 environments: - Test: all services in one server - Acceptance: Database and Redis in one server, rest of...