pf rules

  1. blueCub

    Solved Help Getting PF to work with my Git Jail

    Hi all, I have an issue with my PF rules and I would like to understand why this is happening and how to solve it. I have very basic knowledge of PF and this is kind of learning curve for me. I have gitea server running inside a jail in a vm. It works...
  2. J

    PF Blacklisting and/or whitelisting in (BSD) pf

    I am considering a pf rule like this: pass in on $ext_if inet proto tcp from <ssh_clients> to ($ext_if) port $myssh keep state (max-src-conn 9, max-src-conn-rate 2/5, overload <blocked_guests> flush global) But I am not sure if allowing ssh connections only from a whitelist (ssh_clients) will...
  3. Kay

    How to jail miniDLNA with NAT

    Hi I'm trying to set up a miniDLNA server inside a jail. When it's inside a jail, my LAN clients cannot access it. But if miniDLNA is installed outside of the jail, my LAN clients can successfully access it. My jail has it's private IP ( address on host's lo1 interface. I then...
  4. F

    PF rules logic

    Hi everyone, I've had no problems with my PF rules for a while, until recently I installed FreeRADIUS. The problems I'm having now is that I don't seem to grasp the logic of PF rules. What I need is let in packets on port 1812 (radius) and block all the rest. Here is the ruleset I've created...
  5. Martian

    PF redirect local outgoing packets

    Hello, I'm trying to setup port multiplexing using sslh importantly I have to use that nice 'transparent' feature that makes traffic from sslh distributed locally to look like it comes from external interface. It looks something like this : Browser[A]-----------[http/ssl]-------> sslh[B 443]...
  6. blueCub

    Solved PF block not stopping access to my jail

    Hello there, I have a jail inside a VM. I installed Gitea inside the Jail and configured PF (nat) to forward traffic coming on port 2000 to the jail port 3000 (The gitea web application) and left port 10000 for the ssh (for git) inside the jail. All is okay so far till recently I checked my...
  7. Farhan Khan

    PF pf Redirect from IPv4 to IPv6

    Hi all, I am trying to forward traffic from my IPv4 address on port 8000 to a jail's IPv6 address on the same port. Is that possible? My line in /etc/pf.conf is: rdr on vtnet0 proto tcp from any to [IPv4 Address] port 8000 -> [IPv6 Address] port 8000 This comes back with an unspecified syntax...
  8. D

    PF Socket connectivity between jails on different interfaces.

    Hi all- I recently jailed my externally-web-accessible services for security reasons. I currently have two separate jails: vpnjail: this jail hosts rtorrent, and connects to the outside world over a persistent openvpn connection on tun0. webjail: this jail hosts standard webservices such as...
  9. R

    Solved OpenVPN on FreeBSD 11

    I am trying to setup OpenVPN server on FreeBSD 11 but I am not able to access Internet from Linux client. Ping an SSH connection to VPN server works. I am using the same config with different OpenVPN server running on CentOS without any problems. No firewall yet on either side. Error log on...
  10. big_girl

    PF pf syntax for tables

    After looking here, I'm getting some unexpected errors in a simple pf.conf while just trying to use tables correctly- cat /etc/pf.conf table <martians> const {,, } table <martians_10> const { } table <martians_169> const { } pfctl...
  11. scrappywan

    FreeBSD VPS Jailed Web Servers Network Isolation

    I have a VPS on Digitalocean which I used mfsbsd to reinstall FreeBSD with ZFS/zroot with PF as my firewall. My plan with this VPS is to run wordpress, a static site and owncloud each in their own jails. Currently, I use nginx on the host machine running as a reverse proxy, intercepting https...
  12. S

    PF Can PF be bypassed?

    Hi, Can anyone tell me if PF can be by-passed by an outsider(intruder)? I have an IP address that has already been in my ip.blocked table for two days and still its scans reach the web platform of the site where it is blocked by a firewall add-on/plugin at application level. Any help is welcome.
  13. pentago

    PF Need feedback/improvement suggestions on PF ruleset

    Hi, I just wanted to ask for feedback or improvement suggestions on my PF ruleset made for host and 10-ish jails serving apps and web. I'm particularly interested in suggestions on rule ordering, if it can be improved and optimized as well as suggestions on section for connection...
  14. S

    PF PF doesn't load at startup time in FreeBSD 10.1

    Hi, I have a problem with my PF it seems after all verification made with pfctl -vnf /etc/pf.conf NOT with the rulesets but number of tables and the size of it. Can be adjusted this situation? I can't control the size of tables for zones because are country based IP net blocks. So first I...
  15. joel.bodenmann

    Solved PF Not blocking MySQL port (beginner question)

    Hello folks, I just recently started using PF so bear with me. What I want my firewall to do is to block all incoming traffic except SSH and HTTP. Furthermore, I'd like to blacklist the IPs that try to bruteforce SSH. After a few hours of reading this is what I can up with: if="em0" lo="lo0"...