Solved PF Not blocking MySQL port (beginner question)

jbo@

Developer
Hello folks,

I just recently started using PF so bear with me.
What I want my firewall to do is to block all incoming traffic except SSH and HTTP. Furthermore, I'd like to blacklist the IPs that try to bruteforce SSH.

After a few hours of reading this is what I can up with:
Code:
if="em0"
lo="lo0"

# Ignore loopback interface
set skip on $lo

# Scrub
scrub in all

# Deal with bruteforcers
table <bruteforce> persist
block quick from <bruteforce>

# Block all in, pass all out
block in log all
pass out all keep state

# Exceptions
pass in on $if proto tcp fron any to any port ssh flags S/SA keep state (max-src-conn 1, max-src-conn-rate 5/3600, overload <bruteforce> flush global)
pass in on $if proto tcp from any to any port http
However, according to a few different port scanners port 25 as well as 3306 are still open.
What am I missing?

I'd appreciate any other feedback too. This is the first time I am working with PF.
This firewall is running on a public web server.
 
What host are you scanning? Are you scanning localhost, or are you scanning from another machine on your LAN?

Your firewall rules allow all traffic to/from localhost (and you should keep it that way to avoid problems).
 
Is this machine connected directly to the Internet? Or is there a router in between?
 
It's a VPS with a public IP address. So from my understanding there's no router, NAT or other magic in between the machine running PF and the internet.
 
Ok, just making sure I understand how things are connected.

What does pfctl -s rules show?
 
pfctl -s rules didn't show any rules at all which lead me to manually re-loading the config file. Turns out that there's a typo in line 19 of my config file (fron instead of from). Sadly I must have overlooked the corresponding warning when restarting the pf service. Now the port scans return the expected results.
Sorry for the trouble and thank you very much for your help!

If you have any comments on how to improve my firewall config I am all ears :)
 
You can check the syntax, without actually loading the rules with pfctl -nf /etc/pf.conf. That's always a good idea to do before actually loading them.
 
Thanks for the tip!
Should I edit my original post so people that want to use that config as a starting point don't get ugly surprises or is that discouraged as it would defeat the purpose of the actual discussion?
 
No, don't edit it. Editing would make the thread look very odd when viewed much later when there's no apparent problem in the ruleset.
 
Back
Top