Hi,
I have 1 genuine IP address that constantly end up in the pf <BLOCKTEMP> table.
The IP address is the office where we have 10 PC all accessing the same websites...
The office has not access to the server at all but use email and www from it, so I guess the rule that I need to adjust is
Is there any way in pf to find out what rules has trigged the IP to be ban so I can then adjust it?
here is my /etc/pf.conf file
I have 1 genuine IP address that constantly end up in the pf <BLOCKTEMP> table.
The IP address is the office where we have 10 PC all accessing the same websites...
The office has not access to the server at all but use email and www from it, so I guess the rule that I need to adjust is
Code:
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
Is there any way in pf to find out what rules has trigged the IP to be ban so I can then adjust it?
here is my /etc/pf.conf file
Code:
################ Macros ###################################
### Interfaces ###
ExtIf = "bce0"
JailIf = "lo1"
### Hosts ###
## Web Proxy Server
www_ext = "91.203.72.xxx"
www_int = "10.8.20.xx"
#www_int = "10.8.20.19"
## FTP Server
ftp_ext = "91.203.72.xxx"
ftp_int = "10.8.20.12"
### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
TcpState ="flags S/UAPRSF modulate state"
UdpState ="keep state"
### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
169.254.0.0/16, 192.0.2.0/24, \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}
################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}
################ Queueing ####################################################
# no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.
################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ExtIf all reassemble tcp fragment reassemble
################ Translation #################################################
### NAT and Redirection rules are first match
# NAT all jail traffic
nat on $ExtIf from $JailIf:network to any -> ($ExtIf)
nat-anchor "openvpn"
# Hiawatha
# --- redirect http traffic to the internal web proxy server ---
rdr on $ExtIf inet proto tcp from !($ExtIf) to $www_ext port http -> $www_int port http
rdr on $ExtIf inet proto tcp from !($ExtIf) to $www_ext port https -> $www_int port https
# OpenSMTPD with Spamd
#rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
#rdr on $ExtIf inet proto tcp from <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250
# Openssh
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port ssh -> lo0
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $HugoLeisink port 22
# Pure-ftpd
# --- redirect ftp traffic to the internal ftp server ---
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ftp_ext port 21 -> $ftp_int port 21
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ftp_ext port 49000:51000 -> $ftp_int port 49000:51000
# Unbound DNS for LAN machines
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0
# Ntpd time server for the LAN
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0
# Anchors
rdr-anchor "openvpn"
# DENY rogue redirection
#no rdr
################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.
### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
anchor "openvpn"
### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6
#block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"
### $ExtIf inbound
# --- pass incoming http traffic --
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $www_int port www $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $www_int port https $TcpState $WebSTO
# --- pass incoming ssh traffic --
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port ssh $TcpState $SshSTO
### pureftp rules
# --- pass incoming ftp traffic ---
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $ftp_int port 21 $UdpState
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $ftp_int port 49000:51000 $UdpState