So I've run into a strange issue where apparently. So I noticed fail2ban was failing to actually block anything on my FreeBSD router here at home and when looking into it I found that fail2ban is creating the anchored rules that do look good and it is inserting found IPs, but for some reason the traffic is still allowed through.
That said the traffic is not going to the system running the fail2ban and PF, but from the internet and then forwarded to my web/mail server.
Items inserted by fail2ban and it does not appear to be working
pf.conf(with public ip substituted with a.b.c.d)
For any one curious about the name of fast-log bit, I am feeding fail2ban via a snort style fast log produced via Suricata. Does a good job of finding stuff, but for some reason the pf IPs that get inserted into the tables and pfctl shows them as being in the table in that anchor.
That said the traffic is not going to the system running the fail2ban and PF, but from the internet and then forwarded to my web/mail server.
Items inserted by fail2ban and it does not appear to be working
Code:
> pfctl -a f2b/fast-log-pbt -sr
block drop quick from <f2b-fast-log-pbt> to any
>pfctl -a f2b/fast-log-pbt -t f2b-fast-log-pbt -T show
72.84.107.126
73.73.73.75
73.162.227.118
74.74.74.18
83.24.197.213
86.19.33.185
107.13.133.58
128.116.72.218
174.66.144.28
174.72.248.226
174.86.40.242
176.45.8.210
184.103.154.229pf.conf(with public ip substituted with a.b.c.d)
Code:
ext_if="igb3"
int_if="em1"
int_net="192.168.12.0/22"
localnet = $int_if:network
ext_ip=a.b.c.d
int_tcp_services="{ 22, 53 }"
int_udp_services="{ 53 }"
vulpes_int="{ 192.168.14.42/32 }"
vulpes_ext="{ a.b.c.d/32 }"
vulpes_TCP_services="{ 25, 53, 80, 143, 443, 587, 993, 2222, 3478, 3479, 8448 }"
vulpes_UDP_services="{ 53, 3478, 2479 }"
icmp_types="{ echoreq, unreach }"
set skip on lo
scrub in
nat on $ext_if proto {tcp udp icmp} from $localnet to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $vulpes_ext port $vulpes_TCP_services -> $vulpes_int
rdr pass on $ext_if proto udp from any to $vulpes_ext port $vulpes_UDP_services -> $vulpes_int
block in
anchor "f2b/*"
antispoof quick for { lo }
pass in inet proto tcp from any to ($int_if) port $int_tcp_services
pass in inet proto udp from any to ($int_if) port $int_udp_services
pass in on $ext_if proto tcp from any to any port $ext_tcp_services keep state
pass in on $ext_if proto udp from any to any port $ext_udp_services
pass in inet proto icmp all icmp-type $icmp_types
pass from $localnet to any keep state
pass outFor any one curious about the name of fast-log bit, I am feeding fail2ban via a snort style fast log produced via Suricata. Does a good job of finding stuff, but for some reason the pf IPs that get inserted into the tables and pfctl shows them as being in the table in that anchor.