PF PF Rule Query

Hi,
I have a /etc/pf.conf configured as follows (see below), the query I have is that despite a section
Code:
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
I still see w00t messages in my Apache /var/log/httpd-access.log log file, from IP that are in the blockedip table, which I was a bit surprised at, i.e. I'm expected the connection attempt to be dropped.

I'd be grateful if anyone could let me know if there is anything wrong with my configuration.

Thanks,
Mike
Code:
set limit table-entries 5000000 ## Blocked ip list
tcp_services = "{ ssh, imap, pop3, imaps, smtp, domain, www, https,  ntp, 43, bootpc, bootps}"

udp_services = "{ domain, ntp, bootpc, bootps }"
icmp_types = "{ echoreq, unreach }"

table <blockedip> persist file "/etc/pf.block.ip.conf"

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### admin server ranges
adminrange = "XXX.TTT.QQQ.AA/BB"
ext_if = "em0" # out
int_if = "em1" # in

# Drop incoming everything
block in all
block return

# keep stats of outgoing connections
pass out keep state

# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $int_if}

# activate spoofing protection for all interfaces
block in quick from urpf-failed

#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if

#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians


# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>

# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services

pass quick inet proto { tcp, udp } to any port $udp_services keep state
pass out on $ext_if proto udp to any port $udp_services

# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

# Allow admin to get into box
pass in on $int_if from $adminrange to any

# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port $tcp_services keep state
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state

pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if proto { tcp, udp, icmp } all modulate state
 
Back
Top