Pf.conf block to self

hac3ru · Nov 12, 2013

Hello. I want to restrict some IPs access to my network. The setup is this:

Internet -> FreeBSD server -> Internal network.
I want to restrict the access to the server from some IP's. What I tried:

Code:

Block drop quick on $ext_if from <BlockedIPs> to any #I also tried to replace any with self. No luck

It didn't work.

Code:

block drop in quick on $ext_if from <blockedIPs> to any
block drop out quick on $ext_if from any to <blockedIPs>

It didn't work... Anyone got any ideas?

plamaiziere · Nov 12, 2013

hac3ru said:
It didn't work... Anyone got any ideas?

What do you mean by it didn't work? Is PF enabled ( pfctl -si)? Also check the rules loaded with pfctl -sr (show rules)

edit: try to load the rules by hand in verbose mode pfctl -f /etc/pf.conf -vvv

hac3ru · Nov 13, 2013

Didn't work means that the blockedIPs can still connect to the server.

The rules seem to be loaded:

Code:

block drop quick inet from blockedIPs_table to self_address

The pf.conf is enabled

Any other ideas?

gkontos · Nov 13, 2013

Make sure that your block statement is before the pass and you are good to go.

Code:

...
table <blocked_ips> file "/etc/blocked_ips"
...
block in log quick from <blocked_ips>

hac3ru · Nov 13, 2013

gkontos said:
Make sure that your block statement is before the pass and you are good to go.

Code:

... table <blocked_ips> file "/etc/blocked_ips" ... block in log quick from <blocked_ips>

It is on the last line. It's not working

I haven't used a file. I just created a table "by hand"

Code:

table <blockedIPs> { x.x.x.x, y.y.y.y}

and so on

The thing is that someone is trying to access the server through SSH. Brute forcing its entry. And I want to deny its connections.

kpa · Nov 13, 2013

Post the output of pfctl -sr. Without seeing what the actual rules that are in effect are it's impossible to even begin to guess what is wrong.

hac3ru · Nov 13, 2013

While reading through pfctl -sr I found

Code:

pass in quick proto tcp from any to self port ssh

That "pass in quick" overwrites my newly written rule so removing "quick" should be good. I'll reload the firewall now and see what happens

inky · Nov 23, 2013

It's just for the SSH daemon. not for any services. Just post us your pf.conf and we will be able to help you. Think you have a problem with the order of rules or the naming of tables.