pf rules

Many other enterprise class firewall and network security systems (such as Fortinet, Cisco, Juniper, CheckPoint, PaloAlto, etc.) allow the use of the period ("."), the hyphen ("-") and some even the commercial at ("@") symbol in the names of firewall objects such as Network or IP Address...

Situation: VPN server, hosting OpenVPN and L2TP connections. OpenVPN connections share a "utun" interface, one per OpenVPN server process. L2TP connections each get a unique "ppp" interface. Given the variable number & names of virtual interfaces, the easiest way to capture all of the potential...

Hi, I am trying to follow this guide: https://www.vultr.com/docs/building-your-own-mail-server-with-freebsd-11 Unfortunately when copying the pf config and starting the daemon (or reloading the config with pfctl -f /usr/local/etc/pf.conf) I get this output: /usr/local/etc/pf.conf:27: syntax...

Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to 1.2.3.4/32 user myuser -> 2.3.4.5 In the log message I can see that the uid is logged correctly...

In terms of PF rules (enabled, actively running in my VPS), which way is the best way to allow a DHCP server (of my VPS provider) connect&define an IP to my VPS without any prevention? 1- pass quick proto udp from any to 255.255.255.255 or 2- pass in quick on $ext_if inet proto udp from any...

Hello, I would like to send port 80 and 443 traffic out one interface while all other traffic goes via another. Specifically, I'd like all 80 and 443 traffic to go out the wifi interface while all other traffic goes out the wired ethernet interface. I tried various filtering rules to no avail...

A BIND DNS on FreeBSD is under attack from hundreds of hosts, that is sending DNS queries non-stop. Every query is about an unknown domain pizzaseo.com. The DNS has access control lists, that limit recursive queries and cache to known users only, but obviously this attack are able to break...

Hello. I've been using FreeBSD and PF for a while now and it's really nice :) I have one problem though.. I have a FreeBSD as a gateway with NAT and firewall and then in my local LAN I have more computers behind. The computers are running various type of services. So now I have a NAS behind...

Hi all, I have an issue with my PF rules and I would like to understand why this is happening and how to solve it. I have very basic knowledge of PF and this is kind of learning curve for me. I have gitea server https://www.freshports.org/www/gitea/ running inside a jail in a vm. It works...

I am considering a pf rule like this: pass in on $ext_if inet proto tcp from <ssh_clients> to ($ext_if) port $myssh keep state (max-src-conn 9, max-src-conn-rate 2/5, overload <blocked_guests> flush global) But I am not sure if allowing ssh connections only from a whitelist (ssh_clients) will...

Hi I'm trying to set up a miniDLNA server inside a jail. When it's inside a jail, my LAN clients cannot access it. But if miniDLNA is installed outside of the jail, my LAN clients can successfully access it. My jail has it's private IP (192.168.60.3) address on host's lo1 interface. I then...

Hi everyone, I've had no problems with my PF rules for a while, until recently I installed FreeRADIUS. The problems I'm having now is that I don't seem to grasp the logic of PF rules. What I need is let in packets on port 1812 (radius) and block all the rest. Here is the ruleset I've created...

Hello, I'm trying to setup port multiplexing using sslh importantly I have to use that nice 'transparent' feature that makes traffic from sslh distributed locally to look like it comes from external interface. It looks something like this : Browser[A]-----------[http/ssl]-------> sslh[B 443]...

Hello there, I have a jail inside a VM. I installed Gitea inside the Jail and configured PF (nat) to forward traffic coming on port 2000 to the jail port 3000 (The gitea web application) and left port 10000 for the ssh (for git) inside the jail. All is okay so far till recently I checked my...

Hi all, I am trying to forward traffic from my IPv4 address on port 8000 to a jail's IPv6 address on the same port. Is that possible? My line in /etc/pf.conf is: rdr on vtnet0 proto tcp from any to [IPv4 Address] port 8000 -> [IPv6 Address] port 8000 This comes back with an unspecified syntax...

Hi all- I recently jailed my externally-web-accessible services for security reasons. I currently have two separate jails: vpnjail: this jail hosts rtorrent, and connects to the outside world over a persistent openvpn connection on tun0. webjail: this jail hosts standard webservices such as...

I am trying to setup OpenVPN server on FreeBSD 11 but I am not able to access Internet from Linux client. Ping an SSH connection to VPN server works. I am using the same config with different OpenVPN server running on CentOS without any problems. No firewall yet on either side. Error log on...

After looking here, I'm getting some unexpected errors in a simple pf.conf while just trying to use tables correctly- cat /etc/pf.conf table <martians> const { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8 } table <martians_10> const { 10.0.0.0/8 } table <martians_169> const { 169.254.0.0/16 } pfctl...

I have a VPS on Digitalocean which I used mfsbsd to reinstall FreeBSD with ZFS/zroot with PF as my firewall. My plan with this VPS is to run wordpress, a static site and owncloud each in their own jails. Currently, I use nginx on the host machine running as a reverse proxy, intercepting https...

Hi, Can anyone tell me if PF can be by-passed by an outsider(intruder)? I have an IP address that has already been in my ip.blocked table for two days and still its scans reach the web platform of the site where it is blocked by a firewall add-on/plugin at application level. Any help is welcome.