Hello,
I have been writing my pf rules for a cloud base vps that is used mainly as a webserver at the moment.
Could anyone help me identify what when i run
Here is my /etc/pf.conf_test file
I have been writing my pf rules for a cloud base vps that is used mainly as a webserver at the moment.
Could anyone help me identify what when i run
pfctl -vnf /etc/pf.conf_test
, I get a syntax error at lines 89 and 118? The message isn't clear on the problem that it is complaining about.. pfctl -vnf /etc/pf.conf_test
Code:
ExtIf = "xn0"
JailIf = "lo1"
WebProxy = "10.8.20.11"
WorkSsh = "213.214.215.216"
IcmpPing = "icmp-type 8 code 0"
SshQueue = "(ssh_bulk, ssh_login)"
SynState = "flags S/SA synproxy state"
TcpState = "flags S/SA modulate state"
UdpState = "keep state"
OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO = "(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO = "(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO = "(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
/etc/pf.conf_test:52: invalid table option '/var/db/pf/ipdeny/*.zone'
table <BLOCKTEMP> counters file "/var/db/pf/fail2ban.pftable"
table <BLOCKNETS> { 224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16 192.0.2.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255 }
set skip on { lo }
set debug urgent
set block-policy drop
set loginterface xn0
set state-policy if-bound
set fingerprints "/etc/pf.os"
set optimization normal
set timeout tcp.closing 60
set timeout tcp.established 7200
/etc/pf.conf_test:89: syntax error
/etc/pf.conf_test:118: syntax error
Code:
1 ################ FreeBSD pf.conf ##########################
2 # Required order: options, normalization, queueing, translation, filtering.
3 # Note: translation rules are first match while filter rules are last match.
4 #
5 # Command Purpose
6 # pfctl -e Enable PF
7 # pfctl -d Disable PF
8 # pfctl -f /etc/pf.conf Tell pf to re-read the pf.conf file after I make a change
9 # pfctl -F all -f /etc/pf.conf Flush all rules (nat, filter, state, table, etc.)
10 # and reload from the file /etc/pf.conf
11 # pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table
12 # pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset
13 # pfctl -t <TABLENAME> -T show see what ip addresses are in the abusive hosts tables
14 # pfctl -vvs rules | grep @ List out the pf rules in order with rule numbers
15 # pfctl -sa List out all the pf rules and other options in my rules
16 # tcpdump -n -e -ttt -i pflog0 Watch the pf logs in real time
17 # tcpdump -n -e -ttt -r pflog0 Cat the pf log file
18
19
20 ################ Change History ##########################
21 # * 2015-07-24 This file was created
22 # *
23
24
25 ################ Macros ###################################
26 ### Interfaces ###
27 ExtIf ="xn0"
28 JailIf ="lo1"
29
30 ### Hosts ###
31 # OpenSMTPD = "10.10.10.4"
32 WebProxy = "10.8.20.11"
33 WorkSsh = "213.214.215.216"
34
35 ### Queues, States and Types ###
36 IcmpPing ="icmp-type 8 code 0"
37 SshQueue ="(ssh_bulk, ssh_login)"
38 SynState ="flags S/SA synproxy state"
39 #TcpState ="flags S/SA synproxy state"
40 TcpState ="flags S/SA modulate state"
41 UdpState ="keep state"
42
43 ### Stateful Tracking Options (STO) ###
44 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
45 SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
46 SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
47 WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
48
49 ### Tables ###
50 #table <TRUSTED> persist file "/var/db/pf/trusted.pftable"
51 #table <spamd-white>
52 table <BLACKLIST> persist persist "/var/db/pf/ipdeny/*.zone"
53 table <BLOCKTEMP> counters file "/var/db/pf/fail2ban.pftable"
54 table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
55 169.254.0.0/16, 192.0.2.0/24, \
56 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
57 169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}
58
59 ################ Options ######################################################
60 ### Misc Options
61 set skip on lo
62 set debug urgent
63 set block-policy drop
64 set loginterface $ExtIf
65 set state-policy if-bound
66 set fingerprints "/etc/pf.os"
67 set ruleset-optimization none
68
69 ### Timeout Options
70 set optimization normal
71 set timeout { tcp.closing 60, tcp.established 7200}
72
73 ################ Queueing ####################################################
74 # no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.
75
76 ################ Normalization ###############################################
77 # set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
78 #scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
79 scrub log on $ExtIf all reassemble tcp fragment reassemble
80
81 ################ Translation #################################################
82 ### NAT and Redirection rules are first match
83
84 # NAT all jail traffic
85 nat on $ExtIf from $JailIf:network to any -> ($ExtIf)
86 #nat on $ExtIf from $IntIf:network to any -> ($ExtIf)
87
88 # Openssh
89 rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh -> lo0
90
91 # Ntpd time server for the LAN
92 #rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0
93
94 # Anchors
95 #nat-anchor "openvpn"
96 #rdr-anchor "openvpn"
97
98 # DENY rogue redirection
99 no rdr
100
101 ################ Filtering ###################################################
102 # Rules are best (closest) match. Rules are optimized so external
103 # interface parsing is first followed by the internal interface.
104
105 ### $ExtIf block abusive hosts in temp and blacklist tables
106 block in quick on $ExtIf from <BLACKLIST> to any
107 block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
108 block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
109 block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
110 block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
111
112 ### $ExtIf default block with drop
113 block drop in log on $ExtIf
114
115 ### $ExtIf inbound
116 pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port https $TcpState $WebSTO
117 pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port www $TcpState $WebSTO
118 pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port ssh $TcpState $SshSTO
119
120 ### $ExtIf outbound
121 pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
122 pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
123 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO