• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Aliases from file

Scheduled Pinned Locked Moved Firewalling
9 Posts 6 Posters 5.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CyberTiVo
    last edited by Aug 31, 2008, 6:30 PM

    I am new to pfSense, but have been using pf on FreeBSD for years.  I have a couple of files with IPs from china, korea, and others that I want to drop.  On my system I have the following rules:

    table <doubleclick>const file "/etc/pf/doubleclick"
    table <chinaips>const file "/etc/pf/china_IPs"
    table <koreanips>const file "/etc/pf/korean_IPs"
    table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }
    ….
    block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}

    How do I do this in pfSense?

    BTW, fantastic program!  I look forward to using it for years.</doubleclick></mediaforce></koreanips></chinaips></rfc1918></mediaforce></koreanips></chinaips></doubleclick>

    1 Reply Last reply Reply Quote 0
    • D
      dotdash
      last edited by Sep 2, 2008, 3:39 PM

      1.3 will have an import function under Aliases. Until it's ready, you could cut and paste. If you create a sample alias, then go to backup and select aliases, you will have a template to work with.

      1 Reply Last reply Reply Quote 0
      • C
        CyberTiVo
        last edited by Sep 2, 2008, 4:32 PM

        I'm looking forward to 1.3 :D  Thanks for info, I will give that a try.

        1 Reply Last reply Reply Quote 0
        • N
          nocer
          last edited by Sep 3, 2008, 3:25 AM Sep 3, 2008, 3:22 AM

          That's quite easy. Go to /etc/inc and open filter.inc by your favotie editor, vi just fine.
          First, look for "ssh" then vi will guide you to the line looks like the following;

          $natrules .= "\n#SSH Lockout Table\n";
                                  :
                                  :
                                  :
                                  :

          This, "$natrules .=" is what you need to modify(add/delete) as your desired rules to be
          implemented. Add the lines like this;

          $natrules .="table <doubleclick>const file "/etc/pf/doubleclick"\n";
          $natrules .="table <chinaips>const file "/etc/pf/china_IPs"\n";
          $natrules .="table <koreanips>const file "/etc/pf/korean_IPs"\n";
          $natrules .="table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }"\n";

          Now look for "ssh" once again and see the "$ipfrules .=" at this time. It looks like;

          $ipfrules .= "\n# SSH lockout\n";
                  $ipfrules .= "block in log quick proto tcp from <sshlockout_pf>to any port 22 label "sshlockout"\n";

          Add the following like this;

          $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n"

          *Be careful with escape special chars. Showing above are only for your reference and I don't know if
          I escaped chars properly. If anything is not properly escaped, pf would stop creating the rules.
          Again, pay attention for editting.

          Done with ZZ and reboot the box make the changes effective. After the box comes back online, the
          tables you have created can be checked by "pfctl -vvsT".

          Of course this is only quck and dirty hack for myself so the take your own risk for touching any system
          files. And, if you update to any snaps/releases, the file would over-written to the default. I would
          recommend backup the modified file for later use.

          That's enough for now. Happy hacking and it will definitely help you understand the pfSense.

          cheres,</doubleclick></mediaforce></koreanips></chinaips></rfc1918></sshlockout_pf></mediaforce></koreanips></chinaips></doubleclick>

          1 Reply Last reply Reply Quote 0
          • C
            CyberTiVo
            last edited by Oct 4, 2008, 1:46 AM

            Thanks for the through instructions.  I have been out of town and have not had time to try this.  I will soon and let you know how it goes.

            1 Reply Last reply Reply Quote 0
            • U
              UltraLinuz
              last edited by Feb 25, 2009, 9:06 PM Feb 25, 2009, 9:04 PM

              I tried to get this working but I keep getting errors.

              These are the changes that I've made on line 811/3309:

              $natrules .= "\n#SSH Lockout Table\n";
                     $natrules .= "table <sshlockout>persist\n\n";

              $natrules .= "table <chinaips>const file "/etc/pf/china_IPs"\n";

              /* is SPAMD insalled? */
                      if (is_package_installed("spamd") == 1) {
                              $natrules .= "\n# spam table \n";

              $natrules .= "table <whitelist>persist\n";
                              $natrules .= "table <blacklist>persist\n";
                              $natrules .= "table <spamd>persist\n";
                              if(file_exists("/var/db/whitelist.txt"))

              and I added the following line as well on line 2661/3309:

              $ipfrules .= "\n# SSH lockout\n";
                      $ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";

              $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>}\n";

              $ipfrules .= "anchor "ftpproxy"\n";
                      $ipfrules .= "anchor "pftpx/*"\n";

              $ipfrules .= process_carp_rules();

              if (isset($config['filter']['rule'])) {

              It looks alright to me but maybe I got blind for my own errors.

              Any suggestions how to get this working?</chinaips></rfc1918></sshlockout></spamd></blacklist></whitelist></chinaips></sshlockout>

              1 Reply Last reply Reply Quote 0
              • N
                nocer
                last edited by Mar 17, 2009, 11:26 PM

                UltraLinuz,

                Because CyberTiVo has already set up his own tables as shown in his very first post. Do you have such files before you touch anything about filter.inc ? All the tables are to be a plain text containing fairly simple address/mask pair per line as many as you want ;

                aaa.bbb.ccc.ddd/mm
                          :
                vvv.www.xxx.yyy/mm

                So just create a table file, china_IPs/rfc1918 in your case, then you'll be fine. Consulting with man page for pfctl is also a very good idea.

                cheers,

                1 Reply Last reply Reply Quote 0
                • F
                  frosty
                  last edited by Jul 9, 2010, 2:52 PM May 7, 2009, 2:19 PM

                  I know this is an older thread but I figured I'd post what looks to be working for me granted its only in testing on pfsense running in vmware.  I needed to test everything prior to loading on my production box.  I know very little about this stuff and have only been using pfsense for a short time.  I make no claims to its accuracy or whether it will work for anyone else.  Also I have no way of testing it to make sure its truly working but it appears to have loaded cleanly and took my edits.  Also pfctl -vvsT shows the items I entered.  I set it to log the stuff I am blocking and will monitor the log files to see if I get any hits.

                  First I grabbed the countries I wanted to block from http://www.ipdeny.com/ipblocks/data/countries/  At some point I'll need to figure out how to make a script that goes out and gets an updated copy weekly or monthly but that can wait for now.  I created a directory in /etc and put them there, /etc/zones.

                  Then I edited filter.inc using the examples from nocer.  I initially had problems with the syntax he had for $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n" so I played around with it until I got it to load cleanly.  Below is what I currently have.  I might have been able to put it all on a single line in $ipfrules but this worked for me so I left it.

                  $natrules .= "\n#SSH Lockout Table\n";
                  $natrules .= "table <sshlockout>persist\n\n";
                  $natrules .= "table <china>persist file "/etc/zones/cn"\n";
                  $natrules .= "table <hongkong>persist file "/etc/zones/hk"\n";
                  $natrules .= "table <japan>persist file "/etc/zones/jp"\n";

                  –---------------------

                  $ipfrules .= "\n# SSH lockout\n";
                  $ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";
                  $ipfrules .= "block in log quick from <china>\n";
                  $ipfrules .= "block in log quick from <hongkong>\n";
                  $ipfrules .= "block in log quick from <japan>\n";

                  Running pfctl -vvsT shows the following.

                  $ pfctl -vvsT
                  c-a-r- china
                  Addresses:   1572
                  Cleared:     Thu May  7 09:52:06 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 7                  Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- hongkong
                  Addresses:   652
                  Cleared:     Thu May  7 09:52:06 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 7                  Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- japan
                  Addresses:   2075
                  Cleared:     Thu May  7 09:52:06 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 7                  Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

                  Edit:  Well I put it on the production box and it appears to be getting hits and working.  Now to figure out what other countries I need to add, an updating script and I'll be happy for now.

                  $ pfctl -vvsT
                  -pa-r- bogons
                  Addresses:   38
                  Cleared:     Thu May  7 16:15:31 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 814                Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- china
                  Addresses:   1572
                  Cleared:     Thu May  7 16:15:31 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 1546               Match: 8                  ]
                  In/Block:    [ Packets: 8                  Bytes: 320                ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- hongkong
                  Addresses:   652
                  Cleared:     Thu May  7 16:15:31 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 1546               Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- japan
                  Addresses:   2075
                  Cleared:     Thu May  7 16:15:31 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 1544               Match: 2                  ]
                  In/Block:    [ Packets: 2                  Bytes: 122                ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                  c-a-r- korea
                  Addresses:   704
                  Cleared:     Thu May  7 16:15:31 2009
                  References:  [ Anchors: 0                  Rules: 1                  ]
                  Evaluations: [ NoMatch: 1544               Match: 0                  ]
                  In/Block:    [ Packets: 0                  Bytes: 0                  ]
                  In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                  In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                  Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                  Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

                  Edit:  I made a mistake from not knowing enough about pf.  I originally had const instead of persist for the table in $natrules section.  This worked but didnt let me update the tables.</japan></hongkong></china></sshlockout></japan></hongkong></china></sshlockout></doubleclick></mediaforce></koreanips></chinaips></rfc1918>

                  1 Reply Last reply Reply Quote 0
                  • J
                    jigpe
                    last edited by Sep 16, 2009, 8:12 AM

                    Its nice to know these things but how to know if somebody is trying to access my box?

                    jigp
                    1.2.2

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received