[Help 7.2] Firewall to block all non-German IP's

[IgorGlock]

Hello together!

I'm from germany and I have some problems witch "denal of service" to my SSH and many other TCP/UDP Ports from other countries :\


Who know a Firewall to block them? :f

 

[Ruler2112]

There was a discussion on this not too long ago. There's a site that keeps lists of IP address ranges assigned to different countries - you basically just create a table and block the addresses in it with pf.

 

[IgorGlock]

yeah...

but I'm 16 years old and I need help with them...
Site for ip rages: http://services.ce3c.be/ciprg/
Can you make a manual or give a site?

sorry my english is very bad

 

[Ruler2112]

This post should help you out. The pf rules you want are in the first post. I also wrote a script that will keep the text file listing the IPs updated with whatever one you want on the internet.

 

[IgorGlock]

hmmn... that's not bad but it's not for me

how can I block all non-German ip's ... not how can I block bad ip's

if one people from china like to join my teamspeak-server or my game-server he must get a block. (very bad english )

 

[vivek]

You need block all and than only allow German IPs. Share you existing pf.conf.

 

[IgorGlock]

my existing pf.conf:

*beep*

^ clean :\

 

[tkjacobsen]

The "TABLES" section in the pf.conf(5) man page explains how files can be used to list ip addresses.

Here's my own pf.conf modified for your needs:

tcp_services = "{ ssh }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out

It basically blocks all incoming trafick except ssh from german ipaddresses listed in /etc/german. All outgoing traffic is also acceptet.

 

[IgorGlock]

thank you ver very mutch!

and how can I block all services? Not only SSH?

"tcp_services = "{ ssh }"

?:stud

 

[IgorGlock]

EDiT: and how can I block all services? Not only SSH? :\

:e

 

[DutchDaemon]

Read that ruleset again. Everything is blocked, except ssh access from Germany.

 

[IgorGlock]

hmmn... and how can I allow port: 1337 for teamspeak server or GTA MTA server(gameserver)?

 

[DutchDaemon]

Add it to the tcp_services macro (if it's tcp, else create a udp_services macro and make a new rule) and reload the ruleset.

Don't ask how, it's all in the pf.conf(5) manual, and in the FAQ. Do your homework (that's what 16 year-olds are supposed to do ..).

 

[IgorGlock]

Is that right?
I like to open for only german ip's port: 27015(Counterstrike) + 1337(Teamspeak) + 22(SSH)

rc.conf

pf_enable="YES"
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"

pf1.conf:

tcp_services = "{ ssh }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out

pf2.conf:

tcp_services = "{ 1337, 27015 }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out

but my "/etc/german" file doesn't exist?! Can someone give me a examle?
Can I generate it witch http://services.ce3c.be/ciprg/ ?

 

[DutchDaemon]

Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it.

You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like 1.2.3.4 or 1.2.3.4/24. Ranges (1.2.3.4-1.2.3.5) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.

BTW, you can't do this:

pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"

There can only be one of everything, or the second one will overrule the first one. In this case, only pf2.conf will be loaded, not pf1.conf.

 

[IgorGlock]

hmmn... and can you give me exmple for the "format" :\
sry if you can't understand "format"

is that right?
http://services.ce3c.be/ciprg/?countrys=GERMANY%2C&format=by+input&format2={startip}%0D%0A{endip}%0D%0A

 

[DutchDaemon]

No, that won't work. Format examples were given above. It's either one IP address per line (not workable with millions of IP addresses), or one cidr range per line (like 53.0.0.0/8, which is the first entry of that list, i.e. 53.0.0.0-53.255.255.255).

 

[DutchDaemon]

A bit of Googling turned this up:
http://www.countryipblocks.net/tag/cidr/

Choosing Germany and CIDR will give you a list you can put in a pf table without problems. I cannot vouch for the accuracy of this data.

 

[IgorGlock]

hmmmn... my IP: 84.163.*.*
but it it isn't there... :e:e

thank you

 

[DutchDaemon]

Ah, cidr is a new concept to you:

84.128.0.0/10 = 84.128.0.0 - 84.191.255.255

net-mgmt/cidr might help.

 

[IgorGlock]

hmmn... it doesn't work :r
My IP² is: 88.198.*.*

I have block this rage: 88.198.0.0/16 and after 1reboot I can use SSH

 

[DutchDaemon]

How are you blocking it? And why? You wanted German IPs to have access, right? That table <german> was used to allow access ('pass'), not block it. What does your ruleset look like? What does [cmd=]pfctl -sr[/cmd] look like? And why reboot when you can simply reload the ruleset?

 

[IgorGlock]

I like to test it witch my other PC witch other ip²

pfctl -sr :
No ALTQ support in kernel
ALTQ related functions disabled

and

pfctl -F all -f /etc/pf2.conf :

No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded

hehe: http://forums.freebsd.org/showpost.php?p=68957&postcount=2

 

[IgorGlock]

1 Question:

My LAN card supports ALTQ (realtek) but I don't know how can I install "options ALTQ"

http://www.freebsd.org/cgi/man.cgi?query=altq&sektion=4
^ can't help me :\

 

[sniper007]

http://www.openbsd.org/faq/pf/queueing.html

READ, READ, READ again and again

if you can't read freebsd is not for you


all of us need to read and study manuals and handbooks