Hi Guys, i don't find nothing on the net about GeoIP for PF, I searched a lot but nothing, I need to block states or create a white list of states that can access the server so I can make things easier for myself, could anyone help me?
place here at the bottom of my pf configuration that is pf.conf
I willingly accept advice on my configuration, I hope you can help me with the geoip
Thanks guys
place here at the bottom of my pf configuration that is pf.conf
I willingly accept advice on my configuration, I hope you can help me with the geoip
Code:
# Source and tutorial - https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/
# /usr/local/etc/pf.conf
#
## Set your public interface ##
ext_if="vtnet0"
## Set your server public IP address ##
ext_if_ip="myIP i just removed it"
## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
## Set http(80)/https (443) port here ##
webports = "{https}"
## enable these services ##
int_tcp_services = "{domain, https, ssh}"
int_udp_services = "{domain}"
## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
### Set default policy ##
#block return in log all
#block out all
set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
## Blocking spoofed packets
antispoof quick for $ext_if
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22
# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq
# All access to our Nginx/Apache/Lighttpd Webserver ports
#pass proto tcp from any to $ext_if port $webports
# Allow essential outgoing traffic
#pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
# Add custom rules below
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)
#pass in proto tcp from any to any port 3000
#pass in proto tcp from any to any port 3066
# vim: set ft=pf
Thanks guys