PF table <other-blocked> persist file FreeBSD 12.0-RELEASE r341666 GENERIC

[Killua]

Hi Guys, i'm trying to use this on my pf.conf

table <other-blocked> persist file "/root/geoblock.txt"
block in log quick on $ext_if from <other-blocked> to any

my pf.conf is

# Source and tutorial -  https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/
# /usr/local/etc/pf.conf
#
## Set your public interface ##
ext_if="vtnet0"
## Set your server public IP address ##
#table <blockedips> persist file "/root/geoblock.txt"
ext_if_ip="IP"
## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
          10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
          0.0.0.0/8, 240.0.0.0/4 }"

table <other-blocked> persist file "/root/geoblock.txt"
block in log quick on $ext_if from <other-blocked> to any
#table <spam> persist    file "/root/geoblock.txt"
#block on fxp0 from <spam> to    any


## Set http(80)/https (443) port here ##
webports = "{https}"

## enable these services ##
int_tcp_services = "{domain, https, ssh}"
int_udp_services = "{domain}"


#table counters file "/usr/local/etc/blocked/geoblock"

## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if

### Set default policy ##
#block return in log all
#block out all


set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

# Deal with attacks based on incorrect handling of packet fragments
scrub in all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq





# All access to our Nginx/Apache/Lighttpd Webserver ports
#pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
#pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services


# Add custom rules below
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)

#block drop in log (all) quick on $ext_if from <blockedips> to any



#block drop in on $ext_if from <list> to any


#pass in proto tcp from any to any port 3000
#pass in proto tcp from any to any port 3066

# create or touch /etc/pf.abusers
#table <abusers> persist file "/usr/local/etc/blocked/geoblock"
#table <ossec_fwtable> persist
#table <blocked_hosts> persist
# http://en.wikipedia.org/wiki/Reserved_IP_addresses
#table <blocked_nets> {
#                       127.0.0.1/8, \
#                       240.0.0.0/4 }


# vim: set ft=pf

but i'm receiving

Disabling pf.


Enabling pf/usr/local/etc/pf.conf:12: cannot define table other-blocked: Invalid argument


/usr/local/etc/pf.conf:32: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:39: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:40: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:41: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:42: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:43: Rules must be in order: options, normalization, queueing, translation, filtering


/usr/local/etc/pf.conf:49: Rules must be in order: options, normalization, queueing, translation, filtering


pfctl: Syntax error in config file: pf rules not loaded

what am I exactly wrong? do I have to do anything else to declare the table? thank you

 

[Deleted member 30996]

It's complaining about your syntax in addition to your table.

Here's how I have my /etc/pf.conf set to block:

### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Here's what it does:

root@onryo:/ # pfctl -s rules
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.4 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

 

[Killua]

I took your conf as an example, thank you very much, but I still have errors


My pf.conf

### Macro name for external interface
ext_if="vtnet0"
ext_if_ip="ip"
#netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
#netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
table <other-blocked> persist file "/root/firewall/geoblock"
### Default deny everything
#block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
#block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
block in log quick on $ext_if from <other-blocked> to any
### Block all IPv6
#block in quick inet6 all
#block out quick inet6 all

### Block to and from port 0
#block quick proto { tcp, udp } from any port = 0 to any
#block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
#block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
#block in quick log on $ext_if proto udp from any to any port $netbios_udp

pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)
pass in inet proto tcp to $ext_if port ssh

### Keep and modulate state of outbound tcp, udp and icmp traffic
#pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Error

# service pf restart
Disabling pf.
Enabling pf/usr/local/etc/pf.conf:9: cannot define table other-blocked: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded
.

 

[Deleted member 30996]

I've never used tables in my ruleset. Looking at other examples of table syntax yours looks basically the same:

table <myTable> persist file "/location/myfile.txt"
pass in quick from <myTable>

PF - Rules on domains

Hi there, I think it's impossible to do but sometimes maybe it's just that I can't see a way to do it ;) The subject is that I would like to put rules based on domain or sub-domain. So, not : pass in from 111.111.0.0/16 but more like : pass in from somenet.org So, not possible ?

forums.freebsd.org

 

[Killua]

But on my FreeBSD 12.0-RELEASE r341666 GENERIC i receive always error

Disabling pf.


Enabling pf/usr/local/etc/pf.conf:29: cannot define table blockperm: Invalid argument


pfctl: Syntax error in config file: pf rules not loaded

 

[richardtoohey2]

It might not like the dash/hyphen in the table name - it keeps saying "Invalid argument".

Maybe try other_blocked or otherblocked instead? Does that make any difference?

You can try pf.conf without having to restart the service with

pfctl -nf /etc/pf.conf

I tried on 12.1 and it was fine with the dash, so don't think it is that - but still might be worth a try to eliminate the possibilty?

How big is the file? Not related to this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235076

 

[gigagoochelaar]

All config files above have rules in the wrong order. Make sure you use the following sequence in your /etc/pf.conf

# 1 # Macros
# 2 # Tables
# 3 # Options
# 4 # Packet Normalization
# 5 # Bandwidth Management
# 6 # Translation & Redirection
# 7 # Packet Filtering

Naming a table <other-blocked> isn't a problem, but make sure it points to the correct file location. You're using a different location and file name in both configs you already posted.