[Help 7.2] Firewall to block all non-German IP's

[DutchDaemon]

( in this case, you need to build your own kernel, because ALTQ is not in the GENERIC kernel -> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html )

 

[sniper007]

Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it.

You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like 1.2.3.4 or 1.2.3.4/24. Ranges (1.2.3.4-1.2.3.5) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.

http://www.ipdeny.com/ipblocks/data/countries/de.zone

 

[IgorGlock]

must I put option ALTQ in to: /boot/device.hints ?

 

[Ruler2112]

rc.conf

pf_enable="YES"
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"

You should only have one pf_rules in your rc.conf.

pf.conf:

tcp_services = "{ ssh, 1337, 27015 }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out

Notice how I've included ssh in the TCP services allowed through from the IPs in the german table...

but my "/etc/german" file doesn't exist?! Can someone give me a examle?
Can I generate it witch http://services.ce3c.be/ciprg/ ?

http://www.ipdeny.com/ipblocks/data/countries/de.zone

You need to somehow create the /etc/german file. It's a list of IP addresses in CIDR format, as DD indicated. This information could easily change over time as IP ranges are assigned/reassigned, so you'll probably want to update the file periodically. If you use the script I linked to in my second post, it'll fetch and update the firewall table for you automatically. (Just set the variables appropriately and set it up to run periodically.)

must I put option ALTQ in to: /boot/device.hints ?

I went through adding ALTQ to my kernel a few months ago - there are a couple really good posts in there that describe exactly what you need to do.

 

[IgorGlock]

but: /usr/src/sys/i386/conf: No such file or directory.

:stud I hate this

 

[Ruler2112]

but: /usr/src/sys/i386/conf: No such file or directory.

:stud I hate this

You probably didn't install source code with your system. Confirm with [cmd=]ls -l /usr/src[/cmd] - if empty, that's your problem. [cmd=]/usr/sbin/sysinstall[/cmd] will re-run the initial setup program. You can also use [cmd=]pkg_add[/cmd] to add the source packages from the CD/DVD.

 

[IgorGlock]

hmn... and what of command can help me? "pkg_add source code" but it doesn't wort

I know I'm stupid! :\

 

[Ruler2112]

Check out the handbook.

 

[DutchDaemon]

Igor, you're currently trying to climb Mount Everest in your shorts, and you're setting yourself up for a totally nuked system if you go on like this.

Do you think that the ALTQ message you saw was some type of error, and that you MUST install ALTQ to get rid of it? You don't. It's not an error. If you don't need outbound traffic queueing, leave your system alone.

If your only open port on the Internet side is ssh, install one of the bruteforce-blocker ports, and set your PF to pass everything out, and nothing but ssh in (forget about the /etc/german stuff too). Let the bruteforce-blocker do the rest by adjusting a PF table all by itself.

security/sshguard-pf
security/bruteforceblocker
security/sshit

 

[IgorGlock]

of course can I install + build my "Custom Kernel" and now I get other error...

# pfctl -F all -f /etc/pf2.conf
rules cleared
nat cleared
0 tables deleted.
altq cleared
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded

What is wrong?

here my config file:

tcp_services = "{ 21075, 1337, 3306 }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out

Line 12? ....

 

[DutchDaemon]

Hit [enter] after pass out.

 

[IgorGlock]

hmmn.. it work's now but...

I have services "ssh". I changed my port and now I can't connect ... :-( but it's okey... I have a backup from MySQL DB

 

[IgorGlock]

1 Question!

If I like to block only port 1337 & 21075 for NonGerman IPs ... how can I do that?

 

[DutchDaemon]

Something like

 block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }

might work.

 

[IgorGlock]

Something like

 block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }

might work.

Like this?

pf1.conf:

table <german> persist file "/etc/german"
block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }
pass out

is that right? :\

 

[DutchDaemon]

That's right. Note that you're allowing everything else from anywhere else.

 

[paean]

I don't normally do this, but I just can't help myself anymore.

IgorGlock: I have to give you credit... you are a persistent fellow. Reading this thread is like watching Muhammad Ali trying to solve a rubix cube.

When (note I didn't say "If") you get pf selectively denying all non-german IPs, I hope you will continue to pursue a broader understanding of how FreeBSD operates.

And for DD's sanity, hopefully you're able to learn much of that from the Handbook. ( =


\\ Final note: you won't feel stupid if you learn the basics before you start asking tough questions. Go easy on yourself. ( ;