Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help: How to activate Layer7 P2P Blocker?

    2.0-RC Snapshot Feedback and Problems - RETIRED
    12
    26
    29.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cino
      last edited by

      I ended up with errors after removing the 2 lines.

      I removed:

      -                                       if(!empty($aline['divert']))
-                                               $aline['flags'] .= "max-packets 10 ";

      system logs:

      
Mar 17 21:26:37 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:365: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [365]: pass log inet proto tcp from any to any divert 51790 flags S/SA keep state ( ) label "USER_RULE"
Mar 17 21:26:37 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:365: syntax error pfctl: Syntax error in config file: pf rules not loaded'
      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Hmm sorry this should be correct one

        
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 36e7624..18f2d66 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1881,7 +1881,7 @@ function filter_generate_user_rule($rule) {
                } else
                        $aline['flags'] .= "keep state ";

-               if($noadvoptions == false || $l7_present)
+               if($noadvoptions == false)
                        if( (isset($rule['source-track']) and $rule['source-track'] <> "") or
                            (isset($rule['max']) and $rule['max'] <> "") or
                            (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or
@@ -1890,7 +1890,7 @@ function filter_generate_user_rule($rule) {
                            (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or
                            (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or
                            (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
-                           isset($rule['sloppy']) or $l7_present) {
+                           isset($rule['sloppy'])) {
                                        $aline['flags'] .= "( ";
                                        if (isset($rule['sloppy']))
                                                $aline['flags'] .= "sloppy ";
@@ -1913,8 +1913,6 @@ function filter_generate_user_rule($rule) {
                                                $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " ";
                                                $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot>flush global ";
                                        }
-                                       if(!empty($aline['divert']))
-                                               $aline['flags'] .= "max-packets 5 ";

                                        $aline['flags'] .= " ) ";
                                }</virusprot>
        1 Reply Last reply Reply Quote 0
        • C
          Cino
          last edited by

          I tried it and it didn't work… Since it didn't work, and I noticed there were some updates for ipv6(smos repos) i went ahead and gitsync which erase your patch I added. The last merge with the mainline code happen on Wed, so this gitsync didn't include the patches you added yesterday. Now for the fun part!!

          After I gitsync and rebooted, I noticed that the lcdproc process was timing out while trying to connect to LCDd. I'm like WTF..... To make a long story short, my test rule(Block: telnet,pop3,smtp) was blocking the the connection. Once I disabled my test rule, lcdproc connected right away to LCDd.

          So the layer7 stuff is working but for the loopback address it seems...I hope this bit of info helps... Maybe its the way we create the rules? That another rule overrides the layer7 one?

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Can you show me your ruleset?
            The one that you expect to work?

            1 Reply Last reply Reply Quote 0
            • C
              Cino
              last edited by

              Sure… Let me know if you need anything else

              Here is the rule I created:

              
from config.xml
		 <rule><id><type>pass</type>
			<ipprotocol>inet</ipprotocol>
			 <tag><tagged><direction>any</direction>
			<floating>yes</floating>
			 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>
				 <any><destination><any></any></destination> 
			 <descr><l7container>testblocking</l7container></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 
from rules.debug
pass inet proto tcp from any to any divert 41786 flags S/SA keep state ( max-packets 5 ) label "USER_RULE"

              Here is the whole rules.debug in case you need it

              
#System aliases

loopback = "{ lo0 }"
WAN = "{ em3 }"
LAN = "{ em2 }"
OVPN_REMOTE = "{ ovpns1 }"
OVPN_MATT = "{ ovpns2 }"
WAN_IPV6 = "{ gif0 }"
VERIZON3G = "{ ppp0 }"
WLAN_GUEST = "{ em0_vlan5 }"
IPsec = "{ enc0 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#pfSnortSam tables
table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases

set limit table-entries 900000
table <allow_icmp>{ x.x.x.x }
Allow_ICMP = "<allow_icmp>"
table <easyruleblockhostsopt4>{ 178.239.57.253/32 }
EasyRuleBlockHostsOPT4 = "<easyruleblockhostsopt4>"
table <easyruleblockhostswan>{ 221.1.220.163/32 }
EasyRuleBlockHostsWAN = "<easyruleblockhostswan>"
table <game_consoles>{ 192.168.0.60 192.168.0.61 192.168.0.62 }
Game_Consoles = "<game_consoles>"
table <ipsec_subnets>{ 192.168.60.0/24 192.168.70.0/24 }
IPSec_Subnets = "<ipsec_subnets>"
ManagementPorts = "{ 22 222 445 443 }"
table <managementsubnets>{ 192.168.0.0/24 192.168.200.0/24 }
ManagementSubnets = "<managementsubnets>"
table <openvpn_subnets>{ 192.168.200.0/24 192.168.201.0/24 192.168.50.0/24 }
OpenVPN_Subnets = "<openvpn_subnets>"
table <p2p_devices>{ 192.168.0.20 }
P2P_Devices = "<p2p_devices>"
table <penaltybox>{ 192.168.0.15 }
PenaltyBox = "<penaltybox>"
table <privatenetworks>{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.1/8 fc00::/7 }
PrivateNetworks = "<privatenetworks>"
table <safesubnets>{ 192.168.0.0/24 192.168.200.0/24 192.168.201.0/24 192.168.50.0/24 192.168.60.0/24 192.168.70.0/24 }
SafeSubnets = "<safesubnets>"
SMB_TCP = "{ 139 445 }"
SMB_UDP = "{ 137 138 }"
table <video_devices>{ 192.168.0.50 192.168.0.51 192.168.0.52 }
Video_Devices = "<video_devices>"
table <voip_devices>{ 192.168.0.8 }
VoIP_Devices = "<voip_devices>"
VoIP_Ports = "{ 10000:20000 4569 }"
table <work_ips>{ x.x.x.x/24 }
Work_IPs = "<work_ips>"

# Gateways
GWWAN = " route-to ( em3 x.x.x.x ) "
GWHE_Net = " route-to ( gif0 2001:470:x.x.x.x::1 ) "
GWVERIZON3G = " route-to ( ppp0 x.x.x.x ) "
GWWanFailoverTo3G = " route-to { ( em3 x.x.x.x ) } "

set loginterface em2
set optimization normal
set limit states 299000
set limit src-nodes 299000

set skip on pfsync0

scrub in on $WAN all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $OVPN_REMOTE all fragment reassemble
scrub in on $OVPN_MATT all fragment reassemble
scrub in on $WAN_IPV6 all fragment reassemble
scrub in on $VERIZON3G all fragment reassemble
scrub in on $WLAN_GUEST all fragment reassemble

altq on em3 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
queue qACK on em3 priority 9 priq ( ecn )
queue qDefault on em3 priority 3 priq ( ecn , default )
queue qP2P on em3 priority 1 priq ( ecn )
queue qVoIP on em3 priority 10 priq ( ecn )
queue qGames on em3 priority 8 priq ( ecn )
queue qVPN on em3 priority 7 priq ( ecn )
queue qOthersHigh on em3 priority 4 priq ( ecn )
queue qOthersLow on em3 priority 2 priq ( ecn )

altq on em2 priq bandwidth 1Gb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
queue qACK on em2 priority 9 priq ( ecn )
queue qDefault on em2 priority 3 priq ( ecn , default )
queue qP2P on em2 priority 1 priq ( ecn )
queue qVoIP on em2 priority 10 priq ( ecn )
queue qGames on em2 priority 8 priq ( ecn )
queue qVPN on em2 priority 7 priq ( ecn )
queue qOthersHigh on em2 priority 4 priq ( ecn )
queue qOthersLow on em2 priority 2 priq ( ecn )

altq on ovpns1 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
queue qACK on ovpns1 priority 9 priq ( ecn )
queue qDefault on ovpns1 priority 3 priq ( ecn , default )
queue qP2P on ovpns1 priority 1 priq ( ecn )
queue qVoIP on ovpns1 priority 10 priq ( ecn )
queue qGames on ovpns1 priority 8 priq ( ecn )
queue qVPN on ovpns1 priority 7 priq ( ecn )
queue qOthersHigh on ovpns1 priority 4 priq ( ecn )
queue qOthersLow on ovpns1 priority 2 priq ( ecn )

altq on ovpns2 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
queue qACK on ovpns2 priority 9 priq ( ecn )
queue qDefault on ovpns2 priority 3 priq ( ecn , default )
queue qP2P on ovpns2 priority 1 priq ( ecn )
queue qVoIP on ovpns2 priority 10 priq ( ecn )
queue qGames on ovpns2 priority 8 priq ( ecn )
queue qVPN on ovpns2 priority 7 priq ( ecn )
queue qOthersHigh on ovpns2 priority 4 priq ( ecn )
queue qOthersLow on ovpns2 priority 2 priq ( ecn )

altq on ppp0 priq bandwidth 1Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
queue qACK on ppp0 priority 9 priq ( ecn )
queue qDefault on ppp0 priority 3 priq ( ecn , default )
queue qP2P on ppp0 priority 1 priq ( ecn )
queue qVoIP on ppp0 priority 10 priq ( ecn )
queue qGames on ppp0 priority 8 priq ( ecn )
queue qVPN on ppp0 priority 7 priq ( ecn )
queue qOthersHigh on ppp0 priority 4 priq ( ecn )
queue qOthersLow on ppp0 priority 2 priq ( ecn )

nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT
table <tonatsubnets>{ 192.168.0.0/24 192.168.200.1/32 192.168.201.1/32 192.168.5.0/24 192.168.200.0/24 192.168.201.0/24 127.0.0.0/8 }
nat on $WAN from <tonatsubnets>port 500 to any port 500 -> 67.250.121.14/32 port 500
nat on $WAN from <tonatsubnets>to any -> x.x.x.x/32 port 1024:65535

nat on $VERIZON3G from <tonatsubnets>port 500 to any port 500 -> 75.213.12.0/32 port 500
nat on $VERIZON3G from <tonatsubnets>to any -> x.x.x.x/32 port 1024:65535

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <vpns>{ 192.168.60.0/24 }
table <direct_networks>{ x.x.x.x/21 192.168.0.0/24 192.168.200.1/32 192.168.201.1/32 x.x.x.x/32 192.168.5.0/24 }
# NAT Inbound Redirects
rdr on em3 proto tcp from any to 67.250.121.14 port 80 -> 127.0.0.1 port 9080
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 80 tag PFREFLECT -> 127.0.0.1 port 19000

rdr on em3 proto tcp from any to x.x.x.x port 443 -> 127.0.0.1 port 9443
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 443 tag PFREFLECT -> 127.0.0.1 port 19001

rdr on em3 proto tcp from any to x.x.x.x port 3389 -> 192.168.0.10
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 3389 tag PFREFLECT -> 127.0.0.1 port 19002

rdr on em3 proto tcp from any to x.x.x.x port 21 -> 192.168.0.10
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 21 tag PFREFLECT -> 127.0.0.1 port 19003

rdr on em3 proto udp from any to x.x.x.x port 5198:5199 -> 192.168.0.10
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 5198:5199 tag PFREFLECT -> 127.0.0.1 port 19004:19005

rdr on em3 proto tcp from any to x.x.x.x port 8100 -> 192.168.0.10 port 5198
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 8100 tag PFREFLECT -> 127.0.0.1 port 19006

rdr on em3 proto tcp from any to x.x.x.x port 15000 -> 192.168.0.20
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 15000 tag PFREFLECT -> 127.0.0.1 port 19007

rdr on em3 proto udp from any to x.x.x.x port 15004 -> 192.168.0.20
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 15004 tag PFREFLECT -> 127.0.0.1 port 19008

rdr on em3 proto { tcp udp } from any to x.x.x.x port 8525 -> 192.168.0.20
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto { tcp udp } from any to x.x.x.x port 8525 tag PFREFLECT -> 127.0.0.1 port 19009

rdr on em3 proto tcp from any to x.x.x.x port 554 -> 192.168.0.30
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 554 tag PFREFLECT -> 127.0.0.1 port 19010

rdr on em3 proto udp from any to x.x.x.x port 5000:5010 -> 192.168.0.30
# Reflection redirects
rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 5000:5010 tag PFREFLECT -> 127.0.0.1 port 19011:19021

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1 unreach Destination unreachable
# 2 toobig Packet too big
# 128 echoreq Echo service request
# 129 echorep Echo service reply
# 133 routersol Router solicitation
# 134 routeradv Router advertisement
# 135 neighbrsol Neighbor solicitation
# 136 neighbradv Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# pfSnortSam

#countryblock
table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'
table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'
pass quick from <countryblockw>to any label 'countryblock'
pass quick from any to <countryblockw>label 'countryblock'
block quick from <countryblock>to any label 'countryblock'
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 222 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 445 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for em3
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for em2

# allow access to DHCP server on LAN
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"

# allow access to DHCPv6 server on LAN
anchor "dhcpv6serverLAN"
# We need inet6 icmp for stateless autoconfig and dhcpv6
pass in on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass in on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass in on $LAN inet6 proto udp from fe80::/10 to 2001:470:1f07:e7f::1 port = 546 label "allow access to DHCPv6 server"
pass out on $LAN inet6 proto udp from 2001:470:1f07:e7f::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $OVPN_REMOTE from <bogons>to any label "block bogon IPv4 networks from OVPN_REMOTE"
block in log quick on $OVPN_REMOTE from <bogonsv6>to any label "block bogon IPv6 networks from OVPN_REMOTE"
antispoof for ovpns1
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $OVPN_MATT from <bogons>to any label "block bogon IPv4 networks from OVPN_MATT"
block in log quick on $OVPN_MATT from <bogonsv6>to any label "block bogon IPv6 networks from OVPN_MATT"
antispoof for ovpns2
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN_IPV6 from <bogons>to any label "block bogon IPv4 networks from WAN_IPV6"
block in log quick on $WAN_IPV6 from <bogonsv6>to any label "block bogon IPv6 networks from WAN_IPV6"
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $VERIZON3G from <bogons>to any label "block bogon IPv4 networks from VERIZON3G"
block in log quick on $VERIZON3G from <bogonsv6>to any label "block bogon IPv6 networks from VERIZON3G"
antispoof for ppp0
# block anything from private networks on interfaces with the option set
antispoof for $VERIZON3G
block in log quick on $VERIZON3G from 10.0.0.0/8 to any label "Block private networks from VERIZON3G block 10/8"
block in log quick on $VERIZON3G from 127.0.0.0/8 to any label "Block private networks from VERIZON3G block 127/8"
block in log quick on $VERIZON3G from 172.16.0.0/12 to any label "Block private networks from VERIZON3G block 172.16/12"
block in log quick on $VERIZON3G from 192.168.0.0/16 to any label "Block private networks from VERIZON3G block 192.168/16"
block in log quick on $VERIZON3G from fc00::/7 to any label "Block ULA networks from VERIZON3G block fc00::/7"
antispoof for em0_vlan5

# allow access to DHCP server on WLAN_GUEST
pass in on $WLAN_GUEST proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $WLAN_GUEST proto udp from any port = 68 to 192.168.5.1 port = 67 label "allow access to DHCP server"
pass out on $WLAN_GUEST proto udp from 192.168.5.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( em3 67.250.120.1 ) from x.x.x.x to !67.250.120.0/21 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ovpns1 192.168.200.1 ) from 192.168.200.1 to !192.168.200.1/32 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ovpns2 192.168.201.1 ) from 192.168.201.1 to !192.168.201.1/32 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ppp0 66.174.121.1 ) from 75.213.12.0 to !75.213.12.0/32 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"
# NAT Reflection rules
pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

# User-defined rules follow
match inet proto udp from $VoIP_Devices to any queue (qVoIP) label "USER_RULE: m_VoIP Devices"
match proto tcp from any to any port 3389 queue (qOthersHigh,qACK) label "USER_RULE: m_Other MSRDP outbound"
match proto tcp from any to any port 5899 >< 5931 queue (qOthersHigh,qACK) label "USER_RULE: m_Other VNC outbound"
match inet proto tcp from any to any port $SMB_TCP queue (qOthersHigh,qACK) label "USER_RULE: m_Other SMB DEST_TCP"
match inet proto udp from any to any port $SMB_UDP queue (qOthersHigh) label "USER_RULE: m_Other SMB DEST_UDP"
match inet proto tcp from any port $SMB_TCP to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other SMB SRC_TCP"
match inet proto udp from any port $SMB_UDP to any queue (qOthersHigh) label "USER_RULE: m_Other SMB SRC_UDP"
match inet proto udp from any to any port 500 queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
match inet proto udp from any port 500 to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
match inet proto ah from any to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
match inet proto esp from any to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
match proto tcp from any to any port 7999 >< 8101 queue (qOthersHigh,qACK) label "USER_RULE: m_Other STREAMINGMP3 outbound"
match proto tcp from any to any port 554 queue (qOthersHigh,qACK) label "USER_RULE: m_Other RTSP1 outbound"
match inet proto tcp from any to any port 80 queue (qDefault,qACK) label "USER_RULE: m_Other HTTP outbound"
match inet proto tcp from any to any port 443 queue (qDefault,qACK) label "USER_RULE: m_Other HTTPS outbound"
match inet proto tcp from $Video_Devices to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other Video Playback Devices SRC_TCP"
match inet proto udp from $Video_Devices to any queue (qOthersHigh) label "USER_RULE: m_Other Video Playback Devices SRC_UDP"
match inet proto tcp from $Game_Consoles to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other Game Consoles TCP"
match inet proto udp from $Game_Consoles to any queue (qOthersHigh) label "USER_RULE: m_Other Game Consoles UDP"
match proto udp from any to any port 88 queue (qGames) label "USER_RULE: m_Game xbox360-1 outbound"
match proto udp from any to any port 3074 queue (qGames) label "USER_RULE: m_Game xbox360-2 outbound"
match proto tcp from any to any port 3074 queue (qGames,qACK) label "USER_RULE: m_Game xbox360-3 outbound"
match inet proto tcp from $P2P_Devices to any queue (qP2P,qACK) label "USER_RULE: m_P2P Devices SRC_TCP"
match inet proto udp from $P2P_Devices to any queue (qP2P) label "USER_RULE: m_P2P Devices SRC_UDP"
match inet proto tcp from any to $P2P_Devices queue (qP2P,qACK) label "USER_RULE: m_P2P Devices DEST_TCP"
match inet proto udp from any to $P2P_Devices queue (qP2P) label "USER_RULE: m_P2P Devices DEST_UDP"
match proto tcp from any to any port 25 queue (qOthersLow,qACK) label "USER_RULE: m_Other SMTP outbound"
match proto tcp from any to any port 110 queue (qOthersLow,qACK) label "USER_RULE: m_Other POP3 outbound"
match proto tcp from any to any port 143 queue (qOthersLow,qACK) label "USER_RULE: m_Other IMAP outbound"
match proto tcp from any to any port 53 queue (qOthersHigh,qACK) label "USER_RULE: m_Other DNS1 outbound"
match proto udp from any to any port 53 queue (qOthersHigh) label "USER_RULE: m_Other DNS2 outbound"
match inet proto icmp from any to any queue (qOthersLow) label "USER_RULE: m_Other ICMP outbound"
match inet proto tcp from $PenaltyBox to any queue (qOthersLow,qACK) label "USER_RULE: m_Others Penalty Box TCP"
match inet proto udp from $PenaltyBox to any queue (qOthersLow) label "USER_RULE: m_Others Penalty Box UDP"
pass inet proto tcp from any to any divert 41786 flags S/SA keep state ( max-packets 5 ) label "USER_RULE"
block in quick on $WAN reply-to ( em3 67.250.120.1 ) inet from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to x.x.x.x port 1194 keep state queue (qVPN) label "USER_RULE: OpenVPN Road Warrior"
pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to x.x.x.x port 1195 keep state queue (qVPN) label "USER_RULE: OpenVPN Moms Site-to-Site VPN"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 127.0.0.1 port 9080 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT HTTP pound redirect"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 127.0.0.1 port 9443 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT HTTPS pound redirect"
pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.10 port 3389 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - rdp"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) proto tcp from any to 192.168.0.10 port 21 label "USER_RULE: NAT shitbox - ftp"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.10 port 5197 >< 5200 keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - EchoLink Proxy UDP"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.10 port 5198 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - EchoLink Proxy TCP"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.20 port 15000 flags S/SA keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey Network"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.20 port 15004 keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey Network"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto { tcp udp } from any to 192.168.0.20 port 8525 keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey KAD Network"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.30 port 554 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT cambox - RTSP Port"
pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.30 port 4999 >< 5011 keep state queue (qOthersHigh) label "USER_RULE: NAT cambox - RTP Data Port"
pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto icmp from $Allow_ICMP to x.x.x.x keep state label "USER_RULE: Allow Ping from Allow_ICMP Alias"
block in quick on $WAN reply-to ( em3 67.250.120.1 ) from $PrivateNetworks to any label "USER_RULE: Block Private Networks"
pass in quick on $LAN inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
block return in log quick on $LAN inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
pass in quick on $LAN inet from any to $OpenVPN_Subnets keep state label "USER_RULE: Route OpenVPN Traffic to Default Routing Table"
pass in quick on $LAN inet from any to $IPSec_Subnets keep state label "USER_RULE: Route IPSec Traffic to Default Routing Table"
pass in quick on $LAN from 192.168.0.0/24 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass in quick on $LAN $GWWanFailoverTo3G from 192.168.0.0/24 to any keep state label "USER_RULE: WanFailoverTo3G"
pass in quick on $LAN inet6 from fe80::/10 to ff02::/16 keep state label "USER_RULE: IPv6 - Allow Local-Link Addresses"
pass in quick on $LAN inet6 from 2001:470:1f07:e7f:0:0:0:0/64 to any keep state label "USER_RULE: Default allow IPv6 LAN to any rule"
pass in quick on $LAN inet from 192.168.0.0/24 to any keep state label "USER_RULE: Default allow IPv4 LAN to any rule"
pass in log quick on $IPsec inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
block return in log quick on $IPsec inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
pass in quick on $IPsec inet from $IPSec_Subnets to any keep state label "USER_RULE: Default allow IPSec to any rule "
pass in quick on $OVPN_REMOTE inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports "
block return in log quick on $OVPN_REMOTE inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
pass in quick on $OVPN_REMOTE inet from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv4 OpenVPN to any rule"
pass in quick on $OVPN_REMOTE inet6 from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv6 OpenVPN to any rule"
pass in quick on $OVPN_MATT inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
block return in log quick on $OVPN_MATT inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
pass in quick on $OVPN_MATT inet from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv4 OpenVPN to any rule"
pass in quick on $OVPN_MATT inet6 from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv6 OpenVPN to any rule"
pass in log quick on $WAN_IPV6 inet6 proto ipv6-icmp from any to 2001:470:1f06:e7f::2 keep state label "USER_RULE: Allow ICMP traffic to WANIPv6 Address"
pass in log quick on $WAN_IPV6 inet6 proto ipv6-icmp from any to 2001:470:1f07:e7f::1 keep state label "USER_RULE: Allow ICMP traffic to LAN Address"
block in quick on $VERIZON3G reply-to ( ppp0 66.174.121.1 ) from $EasyRuleBlockHostsOPT4 to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
pass in log quick on $WLAN_GUEST inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
block in log quick on $WLAN_GUEST inet proto tcp from any to 192.168.0.1 port $ManagementPorts label "USER_RULE: Reject other host to management ports"
pass in quick on $WLAN_GUEST $GWWAN inet from 192.168.5.1/24 to ! $SafeSubnets keep state dnpipe ( 1, 2) label "USER_RULE: Allow traffic only to the Internet and limit to 1MBs"
block in log quick on $WLAN_GUEST inet from any to any label "USER_RULE: Block Everything Else"
block in quick on $WLAN_GUEST inet6 from any to any label "USER_RULE: Block IPv6 Traffic"

# VPN Rules
pass out on $WAN route-to ( em3 67.250.120.1 ) proto udp from any to any port = 500 keep state label "IPsec: IPSec RoadWarrior - outbound isakmp"
pass in on $WAN reply-to ( em3 67.250.120.1 ) proto udp from any to any port = 500 keep state label "IPsec: IPSec RoadWarrior - inbound isakmp"
pass out on $WAN route-to ( em3 67.250.120.1 ) proto udp from any to any port = 4500 keep state label "IPsec: IPSec RoadWarrior - outbound nat-t"
pass in on $WAN reply-to ( em3 67.250.120.1 ) proto udp from any to any port = 4500 keep state label "IPsec: IPSec RoadWarrior - inbound nat-t"
pass out on $WAN route-to ( em3 67.250.120.1 ) proto esp from any to any keep state label "IPsec: IPSec RoadWarrior - outbound esp proto"
pass in on $WAN reply-to ( em3 67.250.120.1 ) proto esp from any to any keep state label "IPsec: IPSec RoadWarrior - inbound esp proto"
anchor "tftp-proxy/*"
# uPnPd
anchor "miniupnpd"</vpns></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></countryblock></countryblockw></countryblockw></countryblockw></countryblock></direct_networks></vpns></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></work_ips></work_ips></voip_devices></voip_devices></video_devices></video_devices></safesubnets></safesubnets></privatenetworks></privatenetworks></penaltybox></penaltybox></p2p_devices></p2p_devices></openvpn_subnets></openvpn_subnets></managementsubnets></managementsubnets></ipsec_subnets></ipsec_subnets></game_consoles></game_consoles></easyruleblockhostswan></easyruleblockhostswan></easyruleblockhostsopt4></easyruleblockhostsopt4></allow_icmp></allow_icmp></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>
              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Nah the rules does not match like that.
                You have to make it match so divert can continue.

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  What would be the best way to get it to match? I changed the rule to use LAN has the interface and dest port 110. I was still able to access it.

                  
pass  on {  em2  } inet proto tcp  from any to any port 110  divert 41786 flags S/SA keep state ( max-packets 5  )  label "USER_RULE"

		 <rule><id><type>pass</type>
			<interface>lan</interface>
			<ipprotocol>inet</ipprotocol>
			 <tag><tagged><direction>any</direction>
			<floating>yes</floating>
			 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>
				 <any><destination><any><port>110</port></any></destination> 
			 <descr><l7container>testblocking</l7container></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  1 Reply Last reply Reply Quote 0
                  • H
                    heper
                    last edited by

                    so, whats the conclusion ?

                    does it work or not ? i've only tried like 10 mins to get it working but haven't thus far

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cino
                      last edited by

                      I do have good news about Layer 7 blocking, I was able to block all pop3 traffic from leaving my box. I still have to do more testing but progress is being made :-) Thanks Ermal!!!!

                      1 Reply Last reply Reply Quote 0
                      • R
                        root2020
                        last edited by

                        How did you fix it?

                        1 Reply Last reply Reply Quote 0
                        • C
                          Cino
                          last edited by

                          I didn't fix it. Ermal did… Update to the lastest snapshot and give it try

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.