PF firewall whitelist

Silfro · Jun 6, 2011

How do I add an IP to the whitelist from PF firewall? Because my root server keeps blocking the IP from my webhost after a few hours.

gkontos · Jun 6, 2011

Silfro said:
How do I add a IP to the whitelist from PF Firewall??
Because my root server keep blocking the IP from my webhost after few hours..

Code:

pass in log quick from <whitelist> flags S/SA synproxy state

This the simplest way. Yet it is not my recommendation since I don't know what is causing your IP address to be blocked.
If you are being blocked on a public service such as http then there is definitely something wrong with your configuration.
Why don't you post your pf.conf, obscure your public IP, and then maybe we can see if something needs to be fixed.

Silfro · Jun 6, 2011

Code:

### INTERFACES ###
if = "{ re0 }"

#Intra
table <intranet> { 127.0.0.1 192.168.2.111 }
pass in quick from <intranet> to any keep state

#Network
table <network> persist
block quick from <network>
pass in on $if proto tcp from any to any \
keep state (max-src-conn 100, max-src-conn-rate 15/1, \
overload <network> flush global)

#ruleset
block in all
pass in quick on lo0
pass out quick on lo0
table <bruteforce> persist file "/var/db/blacklist"
block quick from <bruteforce>
pass in quick on re0 proto tcp from any to any port 22 keep state
pass in quick on re0 proto tcp from any to any port 3306 keep state
pass in quick on re0 proto tcp from any to any port 11002 keep state
pass in quick on re0 proto tcp from any to any port 13000 keep state
pass in quick on re0 proto tcp from any to any port 13001 keep state
pass in quick on re0 proto tcp from any to any port 13099 keep state
pass out all keep state

gkontos · Jun 7, 2011

Maybe you need to adjust those settings a bit. Or separate them on per service base:

Code:

pass in on $if proto tcp from any to any \
keep state (max-src-conn 100, max-src-conn-rate 15/1, \
overload <network> flush global)

Another option would be to add your IP to the <intranet> table.

Silfro · Jun 7, 2011

I'm new to this kind of stuff. I don't know how I could add the IP to the intranet table.

gkontos · Jun 7, 2011

Silfro said:
Im new in this kind of stuff. I dont know how I could add the IP to the intranet table.

Code:

table <intranet> { 127.0.0.1, 192.168.2.111, xxx.xxx.xxx.xxx }

Where xxx.xxx.xxx.xxx is the IP address.

DutchDaemon · Jun 7, 2011

pfctl(8). I'm sure it's referenced in the Handbook and the PF FAQ.

PF firewall whitelist

Silfro

gkontos

Silfro

gkontos

Silfro

gkontos

DutchDaemon

Administrator