Aliases from file
-
I am new to pfSense, but have been using pf on FreeBSD for years. I have a couple of files with IPs from china, korea, and others that I want to drop. On my system I have the following rules:
table <doubleclick>const file "/etc/pf/doubleclick"
table <chinaips>const file "/etc/pf/china_IPs"
table <koreanips>const file "/etc/pf/korean_IPs"
table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }
….
block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}How do I do this in pfSense?
BTW, fantastic program! I look forward to using it for years.</doubleclick></mediaforce></koreanips></chinaips></rfc1918></mediaforce></koreanips></chinaips></doubleclick>
-
1.3 will have an import function under Aliases. Until it's ready, you could cut and paste. If you create a sample alias, then go to backup and select aliases, you will have a template to work with.
-
I'm looking forward to 1.3 :D Thanks for info, I will give that a try.
-
That's quite easy. Go to /etc/inc and open filter.inc by your favotie editor, vi just fine.
First, look for "ssh" then vi will guide you to the line looks like the following;$natrules .= "\n#SSH Lockout Table\n";
:
:
:
:This, "$natrules .=" is what you need to modify(add/delete) as your desired rules to be
implemented. Add the lines like this;$natrules .="table <doubleclick>const file "/etc/pf/doubleclick"\n";
$natrules .="table <chinaips>const file "/etc/pf/china_IPs"\n";
$natrules .="table <koreanips>const file "/etc/pf/korean_IPs"\n";
$natrules .="table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }"\n";Now look for "ssh" once again and see the "$ipfrules .=" at this time. It looks like;
$ipfrules .= "\n# SSH lockout\n";
$ipfrules .= "block in log quick proto tcp from <sshlockout_pf>to any port 22 label "sshlockout"\n";Add the following like this;
$ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n"
*Be careful with escape special chars. Showing above are only for your reference and I don't know if
I escaped chars properly. If anything is not properly escaped, pf would stop creating the rules.
Again, pay attention for editting.Done with ZZ and reboot the box make the changes effective. After the box comes back online, the
tables you have created can be checked by "pfctl -vvsT".Of course this is only quck and dirty hack for myself so the take your own risk for touching any system
files. And, if you update to any snaps/releases, the file would over-written to the default. I would
recommend backup the modified file for later use.That's enough for now. Happy hacking and it will definitely help you understand the pfSense.
cheres,</doubleclick></mediaforce></koreanips></chinaips></rfc1918></sshlockout_pf></mediaforce></koreanips></chinaips></doubleclick>
-
Thanks for the through instructions. I have been out of town and have not had time to try this. I will soon and let you know how it goes.
-
I tried to get this working but I keep getting errors.
These are the changes that I've made on line 811/3309:
$natrules .= "\n#SSH Lockout Table\n";
$natrules .= "table <sshlockout>persist\n\n";$natrules .= "table <chinaips>const file "/etc/pf/china_IPs"\n";
/* is SPAMD insalled? */
if (is_package_installed("spamd") == 1) {
$natrules .= "\n# spam table \n";$natrules .= "table <whitelist>persist\n";
$natrules .= "table <blacklist>persist\n";
$natrules .= "table <spamd>persist\n";
if(file_exists("/var/db/whitelist.txt"))and I added the following line as well on line 2661/3309:
$ipfrules .= "\n# SSH lockout\n";
$ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";$ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>}\n";
$ipfrules .= "anchor "ftpproxy"\n";
$ipfrules .= "anchor "pftpx/*"\n";$ipfrules .= process_carp_rules();
if (isset($config['filter']['rule'])) {
It looks alright to me but maybe I got blind for my own errors.
Any suggestions how to get this working?</chinaips></rfc1918></sshlockout></spamd></blacklist></whitelist></chinaips></sshlockout>
-
UltraLinuz,
Because CyberTiVo has already set up his own tables as shown in his very first post. Do you have such files before you touch anything about filter.inc ? All the tables are to be a plain text containing fairly simple address/mask pair per line as many as you want ;
aaa.bbb.ccc.ddd/mm
:
vvv.www.xxx.yyy/mmSo just create a table file, china_IPs/rfc1918 in your case, then you'll be fine. Consulting with man page for pfctl is also a very good idea.
cheers,
-
I know this is an older thread but I figured I'd post what looks to be working for me granted its only in testing on pfsense running in vmware. I needed to test everything prior to loading on my production box. I know very little about this stuff and have only been using pfsense for a short time. I make no claims to its accuracy or whether it will work for anyone else. Also I have no way of testing it to make sure its truly working but it appears to have loaded cleanly and took my edits. Also pfctl -vvsT shows the items I entered. I set it to log the stuff I am blocking and will monitor the log files to see if I get any hits.
First I grabbed the countries I wanted to block from http://www.ipdeny.com/ipblocks/data/countries/ At some point I'll need to figure out how to make a script that goes out and gets an updated copy weekly or monthly but that can wait for now. I created a directory in /etc and put them there, /etc/zones.
Then I edited filter.inc using the examples from nocer. I initially had problems with the syntax he had for $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n" so I played around with it until I got it to load cleanly. Below is what I currently have. I might have been able to put it all on a single line in $ipfrules but this worked for me so I left it.
$natrules .= "\n#SSH Lockout Table\n";
$natrules .= "table <sshlockout>persist\n\n";
$natrules .= "table <china>persist file "/etc/zones/cn"\n";
$natrules .= "table <hongkong>persist file "/etc/zones/hk"\n";
$natrules .= "table <japan>persist file "/etc/zones/jp"\n";–---------------------
$ipfrules .= "\n# SSH lockout\n";
$ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";
$ipfrules .= "block in log quick from <china>\n";
$ipfrules .= "block in log quick from <hongkong>\n";
$ipfrules .= "block in log quick from <japan>\n";Running pfctl -vvsT shows the following.
$ pfctl -vvsT
c-a-r- china
Addresses: 1572
Cleared: Thu May 7 09:52:06 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 7 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- hongkong
Addresses: 652
Cleared: Thu May 7 09:52:06 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 7 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- japan
Addresses: 2075
Cleared: Thu May 7 09:52:06 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 7 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]Edit: Well I put it on the production box and it appears to be getting hits and working. Now to figure out what other countries I need to add, an updating script and I'll be happy for now.
$ pfctl -vvsT
-pa-r- bogons
Addresses: 38
Cleared: Thu May 7 16:15:31 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 814 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- china
Addresses: 1572
Cleared: Thu May 7 16:15:31 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 1546 Match: 8 ]
In/Block: [ Packets: 8 Bytes: 320 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- hongkong
Addresses: 652
Cleared: Thu May 7 16:15:31 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 1546 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- japan
Addresses: 2075
Cleared: Thu May 7 16:15:31 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 1544 Match: 2 ]
In/Block: [ Packets: 2 Bytes: 122 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
c-a-r- korea
Addresses: 704
Cleared: Thu May 7 16:15:31 2009
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 1544 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]Edit: I made a mistake from not knowing enough about pf. I originally had const instead of persist for the table in $natrules section. This worked but didnt let me update the tables.</japan></hongkong></china></sshlockout></japan></hongkong></china></sshlockout></doubleclick></mediaforce></koreanips></chinaips></rfc1918>
-
Its nice to know these things but how to know if somebody is trying to access my box?
jigp
1.2.2
