Solved What rule banned my IP?

Hi,

I have 1 genuine IP address that constantly end up in the pf <BLOCKTEMP> table.
The IP address is the office where we have 10 PC all accessing the same websites...
The office has not access to the server at all but use email and www from it, so I guess the rule that I need to adjust is
Code:
WebSTO   ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

Is there any way in pf to find out what rules has trigged the IP to be ban so I can then adjust it?
here is my /etc/pf.conf file
Code:
################ Macros ###################################
### Interfaces ###
ExtIf   = "bce0"
JailIf  = "lo1"

### Hosts ###
## Web Proxy Server
  www_ext    =   "91.203.72.xxx"
  www_int    =   "10.8.20.xx"
  #www_int    =   "10.8.20.19"
## FTP Server
  ftp_ext    =   "91.203.72.xxx"
  ftp_int    =   "10.8.20.12"


### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
TcpState ="flags S/UAPRSF modulate state"
UdpState ="keep state"

### Stateful Tracking Options (STO) ###
OpenSTO  ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO  ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO   ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO   ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                    169.254.0.0/16, 192.0.2.0/24, \
                    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
                    169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub     log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT all jail traffic
nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)
nat-anchor "openvpn"

# Hiawatha
# --- redirect http traffic to the internal web proxy server ---
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $www_ext port http  -> $www_int        port  http
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $www_ext port https -> $www_int        port  https

# OpenSMTPD with Spamd
#rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
#rdr on $ExtIf inet proto tcp from  <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250

# Openssh
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port ssh -> lo0
#rdr on $ExtIf inet proto tcp from <TRUSTED> to ($ExtIf) port 1914 -> $HugoLeisink port 22

# Pure-ftpd
# --- redirect ftp traffic to the internal ftp server ---
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ftp_ext port 21 -> $ftp_int port 21
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $ftp_ext port 49000:51000 -> $ftp_int port 49000:51000

# Unbound DNS for LAN machines
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
rdr-anchor "openvpn"

# DENY rogue redirection
#no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from                     <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
anchor "openvpn"

### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6
#block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"

### $ExtIf inbound
# --- pass incoming http traffic --
pass in log on $ExtIf inet proto tcp  from !($ExtIf)   to $www_int             port    www     $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp  from !($ExtIf)   to $www_int             port    https   $TcpState $WebSTO

# --- pass incoming ssh traffic --
pass in quick log on $ExtIf proto tcp from <TRUSTED>   to $ExtIf               port    ssh     $TcpState $SshSTO

### pureftp rules
# --- pass incoming ftp traffic ---
pass in log on $ExtIf inet proto tcp  from !($ExtIf) to $ftp_int port 21               $UdpState
pass in log on $ExtIf inet proto tcp  from !($ExtIf) to $ftp_int port 49000:51000      $UdpState
 
Hi,

The banned IP is 80.252.64.xxx
I ran tcpdump -n -e -ttt -r pflog | grep 80.252.64.xxx and I ended up with a huge file so I only copy the end bit which is mainly a repeat of the start..
What does Rule 6 and rule 11 represent?
 
Code:
00:00:00.231605 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62004 > 10.8.20.xx.443: Flags , seq 1614107534, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.248810 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62005 > 10.8.20.xx.443: Flags , seq 385551941, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:02.744261 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62004 > 10.8.20.xx.443: Flags , seq 1614107534, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.250586 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62005 > 10.8.20.xx.443: Flags , seq 385551941, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:01.505223 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62004 > 10.8.20.xx.443: Flags , seq 1614107534, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:00.250419 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.62005 > 10.8.20.xx.443: Flags , seq 385551941, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:01.585129 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2208 > 10.8.20.xx.80: Flags , seq 349710774, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.244203 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2209 > 10.8.20.xx.80: Flags , seq 102115310, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.336077 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2210 > 10.8.20.xx.80: Flags , seq 3780993666, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.016628 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2211 > 10.8.20.xx.80: Flags , seq 430453327, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.012375 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2212 > 10.8.20.xx.80: Flags , seq 487963635, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.211454 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2213 > 10.8.20.xx.80: Flags , seq 1364763418, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.022739 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2214 > 10.8.20.xx.80: Flags , seq 110015688, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.001163 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2215 > 10.8.20.xx.80: Flags , seq 2120884563, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.100284 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2216 > 10.8.20.xx.80: Flags , seq 3165267200, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.892358 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.64772 > 10.8.20.xx.80: Flags , seq 1073937570, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.142985 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.64773 > 10.8.20.xx.80: Flags , seq 1032521214, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.058614 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2208 > 10.8.20.xx.80: Flags , seq 349710774, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.239990 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2209 > 10.8.20.xx.80: Flags , seq 102115310, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.341023 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2210 > 10.8.20.xx.80: Flags , seq 3780993666, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.006030 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2211 > 10.8.20.xx.80: Flags , seq 430453327, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.023609 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2212 > 10.8.20.xx.80: Flags , seq 487963635, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.205251 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2213 > 10.8.20.xx.80: Flags , seq 1364763418, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.024529 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2214 > 10.8.20.xx.80: Flags , seq 110015688, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000393 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2215 > 10.8.20.xx.80: Flags , seq 2120884563, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.096088 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.2216 > 10.8.20.xx.80: Flags , seq 3165267200, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.887967 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.64772 > 10.8.20.xx.80: Flags , seq 1073937570, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.252086 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.64773 > 10.8.20.xx.80: Flags , seq 1032521214, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.006879 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62091 > 91.203.72.xxx.995: Flags , seq 1239798763, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.051658 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62093 > 91.203.72.xxx.993: Flags , seq 576246094, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.064898 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62094 > 91.203.72.xxx.143: Flags , seq 2394770377, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.019604 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62095 > 91.203.72.xxx.110: Flags , seq 2865808157, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:02.817538 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62091 > 91.203.72.xxx.995: Flags , seq 1239798763, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.095945 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62093 > 91.203.72.xxx.993: Flags , seq 576246094, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.070131 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62094 > 91.203.72.xxx.143: Flags , seq 2394770377, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.009824 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62095 > 91.203.72.xxx.110: Flags , seq 2865808157, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.104253 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62091 > 91.203.72.xxx.995: Flags , seq 1239798763, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:00.088936 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62093 > 91.203.72.xxx.993: Flags , seq 576246094, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:00.064929 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62094 > 91.203.72.xxx.143: Flags , seq 2394770377, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:00.016026 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62095 > 91.203.72.xxx.110: Flags , seq 2865808157, win 8192, options [mss 1452,nop,nop,sackOK], length 0
00:00:00.599083 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62104 > 91.203.72.xxx.995: Flags , seq 754008219, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.089116 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62105 > 91.203.72.xxx.993: Flags , seq 3428982514, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.070854 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62106 > 91.203.72.xxx.143: Flags , seq 3450684525, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.012477 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62107 > 91.203.72.xxx.110: Flags , seq 3884472689, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.752374 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62105 > 91.203.72.xxx.993: Flags , seq 3428982514, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.069434 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62106 > 91.203.72.xxx.143: Flags , seq 3450684525, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
 
Last edited:
Hi guys,

I'm really clueless as to how to trouble shoot this at this stage..
Could someone please help

Fred
 
Back
Top