PF My first ruleset; what am I doing wrong?

Indeed, I was keeping the table's declaration along with the table's rules while having properly divided the macros' declaration and the macros' rules. I now get what I was failing to understand and it is no wonder pf was rejecting the rules.

Thank you very much, I a clearer grasp of it. :)
 
So glad I could help!

Besides this, I think I would simplify the lines with inet and inet6 into single ones: for instance, turn

Code: 
pass out quick on $ext_if inet all
pass out quick on $ext_if inet6 all

into

Code: 
pass out quick on $ext_if all

and use pfctl -vnf /etc/pf.conf to check (without reloading pf) if pf would develop this single line into the same two inet and inet6 lines as the two rules did, before. This would make /etc/pf.conf easier to read and to maintain.

http://www.openbsd.org/faq/pf/nat.html says (about this parameter)
The address family, either inet for IPv4 or inet6 for IPv6. PF is usually able to determine this parameter based on the source/destination address(es).
Click to expand...
Even if this is the OpenBSD pf FAQ, I think this part applies to FreeBSD pf too. For instance, if I try to put "inet6" in a rule to allow ssh for instance, I get an error:

Code: 
[...]
set block-policy return
set skip on { lo0 lo1 }
/etc/pf.conf:52: rule expands to no valid combination
root@***:~ #

And putting "inet" instead of "inet6" does not produce any error, the rule is expanded the same way as when there's no "inet" keyword in it. So pf seems to "know" that ssh port rules only rely to inet family, not to inet6.

So I think most of the time, it's not necessary to add an inet or inet6 keyword. There must be cases when it's necessary but I don't know which ones.

On this forum I have been well advised to read "the book of pf" so I would advise it to you too. The only translated version I could find was a bit old, but covered OpenBSD 4.6 pf (so 4.5 too), and was enough for my needs. (In french, it's: "Le livre de packet filter").
 
I have "the book of PF", but reading it both in English and on a screen doesn't do good for me; especially reading on a screen.

I'm going to give a try to the inet thingy; anything that can help me losslessly reduce the size of my pf file is welcome. :)

Thank you again!
 
Latest version:

Code: 
# Macros
ext_if = em0
tcp_services = "{ ssh smtp }"
udp_services = "{ ntp }"
icmp_types = "echoreq"

# Tables
table <bruteforce> persist

# Options
set skip on lo0

# Traffic Normalization
scrub in all

# Queueing

# Translation

# Packet Filtering
antispoof for $ext_if
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)
block all
pass out quick on $ext_if all
pass in quick on $ext_if proto tcp from any to $ext_if port $tcp_services
pass in quick on $ext_if proto udp from any to $ext_if port $udp_services
pass inet proto icmp all icmp-type $icmp_types

It seems to work flawlessly this way, so that will be it.
I just remain IPV4 for the pinging since the monitoring I use is done though IPV4 pinging, so no need to open that more.
 
You must log in or register to reply here.
Back
Top