pf firewall

Greetings. I have public NIC with few public IPs assigned; $ext_if = my external NIC with my public Internet addresses $public_IP_1 = one of my public Internet IP (assigned as an alias and working on $ext_if) And 10.10.10.2 is my jail running on FreeBSD 14 host machine. I have the following PF...

Hello, I'm new to FreeBSD and trying to set up some sort of blocking for brute-force ssh attempts. Looking around it seemed like sshguard was a good solution. I tried to follow along with sshguard-setup(7) for the pf backend: SSHGuard adds attackers to table <sshguard>. Create the...

Hi, I have a FreeBSD 13.1 released installed on a machine and there is NO firewall service running on it, it has two interfaces one with public IP and the other with private IP. I can not ssh into the machine from a public IP apart from the public IP of the same network and I can ssh into the...

Hello Friends, I'm kinda new on FreeBSD firewall and i'm having some issues setting up a NFSv4 file server with a PF firewall. Every time I enable my firewall I get dropped from NFSv4. My pf.conf is very simple and it looks its working for both SSH and SMB but not for NFS: block in all pass...

I could use some help with a pf firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload. This works for ssh connections: table <bruteforce> persist block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22 pass in log on $ext_if inet proto tcp to...

Preface I'm posting this in the Networking forum, though it could possibly be more valid in the Firewall forum. Moderators please move if required. Executive Summary I'm having an issue with very poor performance in one particular direction through a Wireguard tunnel between two FreeBSD 13.1...

Hi there, I'm new to PF but want to dive deep into it, as it seems very handy and powerful:) When I was reading the man pages of pf.conf, I saw the following information: BLOCKING SPOOFED TRAFFIC "Spoofing" is the faking of IP addresses, typically for malicious purposes. The...

I do not have a static IP for my computer connected by fiber to home. My ISP assigns an IP address by DHCP, is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method...

I have this definition in /etc/pf.conf: table <WHITELIST> persist file "/var/db/pf/pf_white_list" When I add an address using pfctl I can see it is there: [root@gway04 ~ (master)]# pfctl -t WHITELIST -T add 72.140.215.253 1/1 addresses added. [root@gway04 ~ (master)]# pfctl -t WHITELIST -T...

# freebsd-version ; uname -a 13.0-RELEASE-p11 FreeBSD x 13.0-RELEASE-p11#0 Tue Apr 5 18:54:35 UTC 2022 root@amd64-builder.demonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 On this host I have sshd listening on this port: tcp 0 0 192.168.0.1.22...

Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to 1.2.3.4/32 user myuser -> 2.3.4.5 In the log message I can see that the uid is logged correctly...

Hi All , I need to audit the rules and settings of a FreeBSD firewall against best practice ""my first time", the client has sent me a text file . Is there a software I can use to make this analysis? If not, what is the best process for auditing this FreeBSD firewall? Thank you

Under FreeBSD 13, I'm using PF and it was working fine till today. I've a <whitelist> table that I suspect it's not really working with PF. Any IPs within that file (table <whitelist> persist file "/var/pf/whitelist.txt") seems still getting blocked by PF, as I see through real-time by the...

Hi, when I activate PF in my server, I cause connectivity to my jails to be blocked (even when it should not). With PF disabled, everything works. I am likely doing something stupid, but I need other eyes to look at it. My jails are bound to the only active interface igb0: root@host # ifconfig...

Hi there. I have a VPS running nginx as web server, local unbound, local maria-db and sshd. I'd be glad if anyone could confirm that I have no weird rule for the main server purposes I listed above and so that I'd continue studying PF. :) So this is my pf.conf (FreeBSD 13) (the table "f2b"...

Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers. Take the example of the 8.8.8.8 server. re0 is the network interface that connects to the router, also a FreeBSD box running a dns server. re0 is part of bridge10 as for vnet jails to have access...

Hi, my problem is very simple but I dont know how to solve it in my router(FBSD 13) I have 2 network interfaces , 1 is the WAN and the other is the LAN, pretty normal but in the WAN interface I have multiples Ip's , Rdr rules and one gateway the traffic from outside ,just enter fine to the...

Howdy, I recently started using pf (FreeBSD 13.0) as my home FW with very basic rules: lan="bge0" wan="bge1" set loginterface $wan set optimization normal set block-policy drop set skip on lo0 scrub on $wan all nat on $wan from $lan:network to any -> ($wan) block drop log all pass in on $lan...

Hello, I got some really valuable help earlier, improving pf rules for a web server, thanks again for that. I want to continue try making the life hard for some malicious beings out there. Example: tcpdump -n -e -ttt -r /var/log/pflog 00:00:03.008672 rule 16/0(match): block in on vmx0...

Hello, pf in FreeBSD is not my strongest side, is there anything I should improve (or anything missing) in our pf setup for a basic web server with low traffic? Thank you very much, ext_if="vmx0" me="11.22.33.44" good_tcp_ports="{ 33333,443,80,8080,25,22222 }" set skip on lo0 block in all...