Hey all,
I have a problem with rules. Im still cutting off www server myself. I have a server with few public ip added to em0. One adress IP is for jail, it's 79.137.X.X. Inside jail i have a running nginx server.
Address 91.121.X.X is main address of server added to em0. Rules below deny my www,dns and pkg doesn't want to either:
Server and i don't know why. When i turn off pf everything works great. When i change rules on any to any instead IP address everything works either. Someone can explain to me what's wrong ?
The funny thing is for ssh it works for 91.121.X.X and 79.137.X.X
I have a problem with rules. Im still cutting off www server myself. I have a server with few public ip added to em0. One adress IP is for jail, it's 79.137.X.X. Inside jail i have a running nginx server.
Address 91.121.X.X is main address of server added to em0. Rules below deny my www,dns and pkg doesn't want to either:
Code:
root@HardenedBSD:/home/bryn1u # pkg update
Updating BSD repository catalogue...
Unable to update repository BSD
Error updating repositories!
root@BSD:/home/bryn1u
The funny thing is for ssh it works for 91.121.X.X and 79.137.X.X
Code:
.......
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"
#######################
# enable antispoofing #
#######################
antispoof log quick for $ext_if inet label "antispoof rule"
# block all if no back routes
block in log quick from no-route to any label "no-route rule"
# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"
# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255
block drop in log (all) quick on $ext_if from <bruteforce> to any
block drop out log (all) quick on $ext_if from any to <bruteforce>
### 91.121.X.X:
### SSH:
pass in on $ext_if proto tcp from any to 91.121.X.X port { 22 }
pass out on $ext_if proto tcp from 91.121X.X to any port { 22 }
### 79.137.56.144:
### SSH:
pass in on $ext_if proto tcp from any to 79.137.X.X port { 22 }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 22 }
### WWW
pass in on $ext_if proto tcp from any to 79.137.X.X port { 80 }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 80 }
### DNS
pass in on $ext_if proto tcp from any to 79.137.X.X port { 53 }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 53 }
pass in on $ext_if proto udp from any to 79.137.X.X port { 53 }
pass out on $ext_if proto udp from 79.137.X.X to any port { 53 }