PF Tables not processed by PF

S

SacamantecaS

hello

I have some rules on multiple machines with FreeBSD 9.1 and pf, but I do not block IPs.

Code: 
root@srv10:~ # pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub in on re0 all fragment reassemble
block drop in all
block drop log all
block drop in quick on ! re0 inet from PUBLIC/27 to any
block drop in quick inet from PUBLIC to any
block drop in quick on re0 inet6 from PUBLICV6 to any
block drop quick from <abusive_hosts> to any
pass in quick on re0 inet proto tcp from any to PUBLIC port = http flags S/SA synproxy state
pass in quick on lo1 inet from 10.0.0.0/26 to any flags S/SA keep state
pass out quick on lo1 inet from any to 10.0.0.0/26 flags S/SA keep state
pass in on re0 proto tcp from any to (re0) port = 22 flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 6/30, overload <abusive_hosts> flush global, src.track 30)
pass out on re0 proto tcp all flags S/SA modulate state
pass out on re0 proto icmp all keep state
pass out on re0 proto udp all keep state

Introduce an IP manually in the table of PF ( pfctl -t abusive_hosts -T add BADIP), but I see in the Apache logs as it connects the BAD IP.

I do something wrong? I'm no expert in PF or FreeBSD, we could consider me a rookie. Thanks.

Regards
 
Confirm that it is added with pfctl -t abusive_hosts -T show. If it does show up, check for rule hits with pfctl -vsr. You should see the Packets counter incrementing. Give that a try and post the output of the above commands if it's not working and we'll see what's going on from there.
 
Where do you declare the abusive_hosts table?
Code: 
table <abusive_hosts> persist
or
Code: 
table <abusive_hosts> persist file "/path/to/abusive_hosts"
 
Hello

junovitch said:
Confirm that it is added with pfctl -t abusive_hosts -T show. If it does show up, check for rule hits with pfctl -vsr. You should see the Packets counter incrementing. Give that a try and post the output of the above commands if it's not working and we'll see what's going on from there.
Click to expand...

Yes, I checked it before putting the post and see the ip. I enclose the output
Code: 
root@srv10:~ # pfctl -t abusive_hosts -T show
No ALTQ support in kernel
ALTQ related functions disabled
   BADIP1
   BADIP2

The other command did not know him, I've learned something new :)

Code: 
root@srv10:~ # pfctl -vsr
.................................
.................................
block drop quick from <abusive_hosts> to any
  [ Evaluations: 36037684  Packets: 0         Bytes: 0           States: 0     ]
.................................
.................................

wblock@ said:
Where do you declare the abusive_hosts table?
Code: 
table <abusive_hosts> persist
or
Code: 
table <abusive_hosts> persist file "/path/to/abusive_hosts"
Click to expand...

Yes, use persist in memory and to be able to add new ips, at least is what I think when reading several books (I'm no expert). This is the configuration on this part:

Code: 
block in all
block log all

table <abusive_hosts> persist
block quick from <abusive_hosts>

Block quick?

Thanks !

Regards
 
Looks sane to me. For reference here is the config I use for both Fail2ban and PF rate limiting. This works just fine on 10.0-STABLE from about 3 weeks ago. The only thing I can think at this point is PF did get upgraded to a newer version in 9.0 just as it got upgraded for SMP support by 10.0. Maybe there is a bug somewhere. I would suggest spinning up a Virtualbox with 9.3-RELEASE and seeing if it still shows the same behavior. If it fixes it, you minds well and upgrade for another 2 years of support.

/etc/pf.conf
Code: 
table <fail2ban> persist
table <bruteforce> persist
table <firewall> const { self }

block drop in log quick on $wan_ifs from <fail2ban> to any
block drop in log quick on $wan_ifs from <bruteforce> to any

pass in on $wan_phy inet proto tcp to <firewall> port 22 flags S/SA keep state \
	(max-src-conn 10, max-src-conn-rate 10/3, \
	 overload <bruteforce> flush global)
 
I have pendiende review all firewall, because it seems to be correct, but does not block these accesses. So far the information of pf I've seen is for openbsd and some cases seems not to work on freebsd (I'm a rookie).

I will continue investigating to see if I can find the error. Thanks a lot.

Best regards
 
Might it be due to the quick pass or that this server is behind NAT with a private IP?

Code: 
IP_PUB="PUBLIC"
ip_apache="10.0.1.1"
www_service="{80}"

nat pass on $ext_if from $int_if:network to any -> $IP_PUB
rdr pass on $ext_if proto tcp from any to $IP_PUB port $www_service -> $ip_apache

block in all
block log all

table <abusive_hosts> persist
block quick from <abusive_hosts>

pass in quick on $ext_if proto tcp from any to $IP_PUB port $www_service flags S/SA synproxy state

Thanks!

Regards
 
You must log in or register to reply here.
Back
Top