pf firewall

  1. K

    PF To NAT or not to NAT? A host machine with PF and a jail running mail services

    Greetings. I have public NIC with few public IPs assigned; $ext_if = my external NIC with my public Internet addresses $public_IP_1 = one of my public Internet IP (assigned as an alias and working on $ext_if) And is my jail running on FreeBSD 14 host machine. I have the following PF...
  2. B

    PF Setting up pf.conf for use with sshguard

    Hello, I'm new to FreeBSD and trying to set up some sort of blocking for brute-force ssh attempts. Looking around it seemed like sshguard was a good solution. I tried to follow along with sshguard-setup(7) for the pf backend: SSHGuard adds attackers to table <sshguard>. Create the...
  3. A

    ssh connection

    Hi, I have a FreeBSD 13.1 released installed on a machine and there is NO firewall service running on it, it has two interfaces one with public IP and the other with private IP. I can not ssh into the machine from a public IP apart from the public IP of the same network and I can ssh into the...
  4. D

    PF NFSv4 vs PF

    Hello Friends, I'm kinda new on FreeBSD firewall and i'm having some issues setting up a NFSv4 file server with a PF firewall. Every time I enable my firewall I get dropped from NFSv4. My pf.conf is very simple and it looks its working for both SSH and SMB but not for NFS: block in all pass...
  5. L

    PF How to rate limit ping?

    I could use some help with a pf firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload. This works for ssh connections: table <bruteforce> persist block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22 pass in log on $ext_if inet proto tcp to...
  6. djbon2112

    Poor performance in one direction via Wireguard tunnel

    Preface I'm posting this in the Networking forum, though it could possibly be more valid in the Firewall forum. Moderators please move if required. Executive Summary I'm having an issue with very poor performance in one particular direction through a Wireguard tunnel between two FreeBSD 13.1...
  7. W

    PF sincerely ask for help about "lo0" settings

    Hi there, I'm new to PF but want to dive deep into it, as it seems very handy and powerful:) When I was reading the man pages of pf.conf, I saw the following information: BLOCKING SPOOFED TRAFFIC "Spoofing" is the faking of IP addresses, typically for malicious purposes. The...
  8. Sivan!

    Is there a way to "mask" a DHCP assigned IP address in a personal computer?

    I do not have a static IP for my computer connected by fiber to home. My ISP assigns an IP address by DHCP, is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method...
  9. byrnejb

    Solved Persistent TABLES

    I have this definition in /etc/pf.conf: table <WHITELIST> persist file "/var/db/pf/pf_white_list" When I add an address using pfctl I can see it is there: [root@gway04 ~ (master)]# pfctl -t WHITELIST -T add 1/1 addresses added. [root@gway04 ~ (master)]# pfctl -t WHITELIST -T...
  10. byrnejb

    PF Unable to establish ssh link to host running pf.

    # freebsd-version ; uname -a 13.0-RELEASE-p11 FreeBSD x 13.0-RELEASE-p11#0 Tue Apr 5 18:54:35 UTC 2022 amd64 On this host I have sshd listening on this port: tcp 0 0
  11. L

    PF pf nat rule for a specific user

    Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to user myuser -> In the log message I can see that the uid is logged correctly...
  12. D

    IPFW Auditing Firewall Rules and settings against best practise and security risk

    Hi All , I need to audit the rules and settings of a FreeBSD firewall against best practice ""my first time", the client has sent me a text file . Is there a software I can use to make this analysis? If not, what is the best process for auditing this FreeBSD firewall? Thank you
  13. K

    PF A weird PF whitelist problem

    Under FreeBSD 13, I'm using PF and it was working fine till today. I've a <whitelist> table that I suspect it's not really working with PF. Any IPs within that file (table <whitelist> persist file "/var/pf/whitelist.txt") seems still getting blocked by PF, as I see through real-time by the...
  14. lifepillar

    PF Issue with configuration blocking access to jails on ip aliases attached to external interface

    Hi, when I activate PF in my server, I cause connectivity to my jails to be blocked (even when it should not). With PF disabled, everything works. I am likely doing something stupid, but I need other eyes to look at it. My jails are bound to the only active interface igb0: root@host # ifconfig...
  15. K

    PF PF config suggestions - web server?

    Hi there. I have a VPS running nginx as web server, local unbound, local maria-db and sshd. I'd be glad if anyone could confirm that I have no weird rule for the main server purposes I listed above and so that I'd continue studying PF. :) So this is my pf.conf (FreeBSD 13) (the table "f2b"...
  16. L

    Solved Block queries to some nameservers

    Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers. Take the example of the server. re0 is the network interface that connects to the router, also a FreeBSD box running a dns server. re0 is part of bridge10 as for vnet jails to have access...
  17. wolffnx

    multiple ip and gateways

    Hi, my problem is very simple but I dont know how to solve it in my router(FBSD 13) I have 2 network interfaces , 1 is the WAN and the other is the LAN, pretty normal but in the WAN interface I have multiples Ip's , Rdr rules and one gateway the traffic from outside ,just enter fine to the...
  18. S

    PF pf rule not being used

    Howdy, I recently started using pf (FreeBSD 13.0) as my home FW with very basic rules: lan="bge0" wan="bge1" set loginterface $wan set optimization normal set block-policy drop set skip on lo0 scrub on $wan all nat on $wan from $lan:network to any -> ($wan) block drop log all pass in on $lan...
  19. Aknot

    Solved Eventually they will find what they are looking for (setting up fail2ban with pf)

    Hello, I got some really valuable help earlier, improving pf rules for a web server, thanks again for that. I want to continue try making the life hard for some malicious beings out there. Example: tcpdump -n -e -ttt -r /var/log/pflog 00:00:03.008672 rule 16/0(match): block in on vmx0...
  20. Aknot

    Solved Improve rules for a web server (newbie about pf)

    Hello, pf in FreeBSD is not my strongest side, is there anything I should improve (or anything missing) in our pf setup for a basic web server with low traffic? Thank you very much, ext_if="vmx0" me="" good_tcp_ports="{ 33333,443,80,8080,25,22222 }" set skip on lo0 block in all...