pf firewall

While creating some VM's with Bhyve + IPv6 I had to create a bridge and therefore the main network card had to be in promiscuous] `promisc` mode. Eventually, I manage the VM's to work but start to notice a strange behavior (mainly timeouts and very slow responses) on the host while trying to...

Hi all, I have the weirdest of the problems. I have a 10.4-release server with Nagios and a bunch of OpenVPN's on it and since I've upgraded to 10.4 from 10.3 after running peachy for a while it starts not removing the states from PF's state table, any state of any protocol. Being a Nagios...

I'm not sure if I am understanding the configuration correctly. pass in log on $EXT_IF inet proto tcp from any to $SERVER port $SSH \ flags S/SA keep state \ (max-src-conn-rate 3/6, overload <blacklist> flush global) I was under the impression that 3 connections within 6 seconds...

There is a network topology which cannot be changed/altered as following: [FILESERVER]---192.168.254.1---->|======| [LANPC1]--------192.168.254.x---->| SWITCH |<--192.168.254.254--[MODEM]--->INTERNET [LANPC2]--------192.168.254.x---->|======| The FILESERVER (FreeBSD 11.1-RELEASE) is running...

Hi all, I am trying to forward traffic from my IPv4 address on port 8000 to a jail's IPv6 address on the same port. Is that possible? My line in /etc/pf.conf is: rdr on vtnet0 proto tcp from any to [IPv4 Address] port 8000 -> [IPv6 Address] port 8000 This comes back with an unspecified syntax...

Hi All Im a linux user making the switch to freebsd, got everything set up except for one last thing Im trying to set up a split route with openvpn and the pf firewall I did read the freebsd manual and a couple of books about pf and googled before posting I have linux up and down scripts for...

Hi, i need to redirect all traffic from a private ip address attested on a local interface, to a public ip address. The old configuration with iptables it's something like this iptables:-A PREROUTING -d $private_ip/32 -i $int_if -j DNAT --to-destination $public_ip iptables:-A PREROUTING ! -d...

Hello, From pfctl man page i know how to flush and disable/enable pf. But how can i remove from CLI only one rule, without full flushing and reload config file ? For example, i add on-the-fly command for port forwarding: echo 'rdr pass proto tcp from any to any port 37 -> 10.0.0.2' | pfctl -f...

I have a FreeBSD firewall/router using PF with OpenVPN configured as client mode so that all my traffic goes through the vpn connection via the vpn provider. When the OpenVPN connection is active on my firewall I can't get port forwarding to work properly on the internet facing interface, this...

I installed prosody in a jail redirect the traffic to it with pf. With this config: rdr on $EXT proto { tcp, udp } from any to any port $XMPP_PORTS -> 10.0.0.11 And for unknown reasons at least for me the s2s part just fails with error messages like this Sep 27 20:39:21 s2sin804074c40 info...

Hello all, I have an anchor for tagging packets based on their source IP origin country. For this I create a bunch of files inside /etc/firewall/tables/dynamic/ which contain the network prefixes for a certain country. For example, here is the output of head...

Hi guys! I've been a couple of days trying to set up a router in a virtual network using FreeBSD and I can't get it work I'm afraid. A quick summary of what I have and what I want to achieve: I have 2 interfaces: xn0, which is the external interface, and bridge0 which is internal. The...

I've been using the PF module for NATing/firewalling purposes (8 cores, 16 GB RAM hardware), it seems to be doing good under normal traffic. But during TCP SYN floods it suffers a lot. I want the SYNPROXY feature to get enabled dynamically as the traffic increases for that particular rule (based...

Hi, Can anyone tell me if PF can be by-passed by an outsider(intruder)? I have an IP address that has already been in my ip.blocked table for two days and still its scans reach the web platform of the site where it is blocked by a firewall add-on/plugin at application level. Any help is welcome.

Hi, I have a problem with my PF it seems after all verification made with pfctl -vnf /etc/pf.conf NOT with the rulesets but number of tables and the size of it. Can be adjusted this situation? I can't control the size of tables for zones because are country based IP net blocks. So first I...

Hi, I want to setup PF for round-robin NAT and ipfw for traffic shaping and filtering, but I can't find an appropriate description of a packet trip through firewalls in FreeBSD. So if I'll specify in rc.conf: firewall_enable="YES" dummynet_enable="YES" pf_enable="YES" will it mean that packet...

Recently I started dabbling with Packet_Filter (PF) to set up my firewall. So far I read a bit in the PF Handbook and our FreeBSD Handbook (chapter on PF). The firewall works fine and the rules seem sane. However, I cannot connect to #freenode with PF enabled. Does anyone know any pass command...

I met a trouble wit synproxy and net/haproxy. I've installed net/haproxy on server 10.0.0.2, I tried to apply synproxy in front of our webserver, but it didn't work. Here's the rule I used: pass in on $ext_if proto tcp from 10.0.0.10 to 10.0.0.2 flags S/SA synproxy state It worked with 'keep...

PF is divided into the sections: * Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section. * Tables - Variables for IP's are defined here. This can be...