pf firewall

I installed prosody in a jail redirect the traffic to it with pf. With this config: rdr on $EXT proto { tcp, udp } from any to any port $XMPP_PORTS -> 10.0.0.11 And for unknown reasons at least for me the s2s part just fails with error messages like this Sep 27 20:39:21 s2sin804074c40 info...

Hello all, I have an anchor for tagging packets based on their source IP origin country. For this I create a bunch of files inside /etc/firewall/tables/dynamic/ which contain the network prefixes for a certain country. For example, here is the output of head...

Hi guys! I've been a couple of days trying to set up a router in a virtual network using FreeBSD and I can't get it work I'm afraid. A quick summary of what I have and what I want to achieve: I have 2 interfaces: xn0, which is the external interface, and bridge0 which is internal. The...

I've been using the PF module for NATing/firewalling purposes (8 cores, 16 GB RAM hardware), it seems to be doing good under normal traffic. But during TCP SYN floods it suffers a lot. I want the SYNPROXY feature to get enabled dynamically as the traffic increases for that particular rule (based...

Hi, Can anyone tell me if PF can be by-passed by an outsider(intruder)? I have an IP address that has already been in my ip.blocked table for two days and still its scans reach the web platform of the site where it is blocked by a firewall add-on/plugin at application level. Any help is welcome.

Hi, I have a problem with my PF it seems after all verification made with pfctl -vnf /etc/pf.conf NOT with the rulesets but number of tables and the size of it. Can be adjusted this situation? I can't control the size of tables for zones because are country based IP net blocks. So first I...

Hi, I want to setup PF for round-robin NAT and ipfw for traffic shaping and filtering, but I can't find an appropriate description of a packet trip through firewalls in FreeBSD. So if I'll specify in rc.conf: firewall_enable="YES" dummynet_enable="YES" pf_enable="YES" will it mean that packet...

Recently I started dabbling with Packet_Filter (PF) to set up my firewall. So far I read a bit in the PF Handbook and our FreeBSD Handbook (chapter on PF). The firewall works fine and the rules seem sane. However, I cannot connect to #freenode with PF enabled. Does anyone know any pass command...

I met a trouble wit synproxy and net/haproxy. I've installed net/haproxy on server 10.0.0.2, I tried to apply synproxy in front of our webserver, but it didn't work. Here's the rule I used: pass in on $ext_if proto tcp from 10.0.0.10 to 10.0.0.2 flags S/SA synproxy state It worked with 'keep...

PF is divided into the sections: * Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section. * Tables - Variables for IP's are defined here. This can be...