PF not working on FreeBSD 8.2?

Hi. I have some problems with pf. It is not filtering anything!

Basically what I've done:

in /boot/loader.conf:
Code:
pf_load="YES"
pflog_load="YES"
in /etc/rc.conf:
Code:
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
I added this to /etc/pf.conf:

Code:
ext_if="em0"
table <fail2ban> persist "/etc/pf.table.fail2ban"
block in quick on $ext_if from <fail2ban> to any

I have installed fail2ban, but at this point I don't see it parsing anything like /var/log/auth.log. Tried logging int xxxx times with wrong users/pass but nothing.

In any case I added that ip 192.168.2.60 with
Code:
smtpgw# pfctl -t fail2ban -T add 192.168.2.60
No ALTQ support in kernel
ALTQ related functions disabled
1/1 addresses added.
Still I can do anything I want from 192.168.2.60.

I even tried a
Code:
block in all
in pf.conf and nothing gets filtered.

Any tips? Cause I used pf a lot on FreeBSD 7 and it worked like a charm.
 
Hello,

Code:
table <fail2ban> persist [B]file[/B] "/etc/pf.table.fail2ban"

is the correct rule.
Probably your firewall rules are not loaded and PF is not started due to syntax error.

You can check the syntax with:
# pfctl -nf /etc/pf.conf

and the status with:
# pfctl -si | head -n1
 
I had a wrong statement in my pf.conf, but still it seams that fail2ban is not working. It is not doing anything, I think it is not reading the auth.log file. I tried connecting with a wrong pass like 10 times. In auth.log I get :

Code:
Apr  1 16:23:41 smtpgw su: radu to root on /dev/pts/0
Apr  1 16:26:36 smtpgw sshd[17177]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:37 smtpgw last message repeated 2 times
Apr  1 16:26:40 smtpgw sshd[17182]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:42 smtpgw last message repeated 2 times
Apr  1 16:26:45 smtpgw sshd[17187]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:47 smtpgw last message repeated 2 times
Apr  1 16:26:50 smtpgw sshd[17192]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:53 smtpgw last message repeated 2 times
Apr  1 16:26:57 smtpgw sshd[17197]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:59 smtpgw last message repeated 2 times
Apr  1 16:27:03 smtpgw sshd[17202]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:27:05 smtpgw last message repeated 2 times
Apr  1 16:27:08 smtpgw sshd[17209]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:27:10 smtpgw last message repeated 2 times

But the address does not get banned.

My fail2ban config:

jail.conf:
Code:
[DEFAULT]
backend         = auto
# bantime of -1 means forever, otherwise insert a time period in seconds
bantime = 600
# time span for which to increment the counter for login failures, 604800 seconds equals 1 week
findtime        = 604800
maxretry        = 5
# replace by the email address to which you'd like to get notes
destemail       = <radu.negrut@hostlogiclive.com>
# replace by your own IP addresses you do not want fail2ban to apply to, CIDR format possible too
ignoreip        = 127.0.0.1 10.124.175.5
logtargets      = /var/log/fail2ban.log

[ssh-pf]
# this .fail2ban-jail. is switched on and it combines the filter.d/sshd.conf with action.d/pf.conf
enabled = true
filter          = sshd
action          = pf
logpath = /var/log/auth.log
maxretry        = 5

[ssh-ddos]
# this .fail2ban-jail. is switched on and it combines the filter.d/sshd-ddos.conf with action.d/pf.conf
enabled = true
filter          = sshd-ddos
action          = pf
logpath = /var/log/auth.log
maxretry        = 3

action/pf.conf:

[Definition]
actionstart     =
actionstop      =
actioncheck     =
actionban       = pfctl -t fail2ban -T add <ip>
actionunban     = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>`

[Init]
port            = ssh
localhost       = 127.0.0.1
Any tips?
 
Even if the following is not a direct solution to your problem, it is an alternative.
After several failed attempts @ fails2ban and other similar software, I decided to do it my way:
Code:
#!/bin/sh

#set -x

. /root/scripts/util/library.sh

ftpguard="/etc/ftpguard.pf"
table="ftpguard"


if [ ! -e $ftpguard ]
then
echo "$ftpguard does not exist. Exiting ..."
exit 1
fi


# Get all IP's that try to hijack the FTP port
if [ -z "$1" ];then
        echo "Usage: grep_ip_from_file <file_name>"
else
        $grep "\[ERROR\]\ Too\ many\ authentication\ failures" $1 | $awk '{print $6}' | $grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\
.[0-9]\{1,3\}'| $uniq | while read IP
                do
                   for i in $IP;
                                do
                                   if [ "$i" != "`$grep $i $ftpguard`" ];
                                then
                                   echo $i >> $ftpguard
                                   $pfctl -t $table -T add $i
                                fi
                                done
                done
fi

/root/scripts/util/library.sh contains:
Code:
dig="/usr/bin/dig"                                        # Full path to: dig
if [ ! -f $dig ];then
echo "Cannot find $dig executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi

grep="/usr/bin/grep"                                            # Full path to: grep
if [ ! -f $grep ];then
echo "Cannot find $grep executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi

awk="/usr/bin/awk"                                              # Full path to: awk
if [ ! -f $awk ];then
echo "Cannot find $awk executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi

I run it from crontab every 10 minutes.
The script can easily be modified to do what you require.

PS: This script is configured for working with pure-ftpd failed login attempts.
 
Back
Top