Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aliases from file

    Firewalling
    6
    9
    5.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CyberTiVo
      last edited by

      I am new to pfSense, but have been using pf on FreeBSD for years.  I have a couple of files with IPs from china, korea, and others that I want to drop.  On my system I have the following rules:

      table <doubleclick>const file "/etc/pf/doubleclick"
      table <chinaips>const file "/etc/pf/china_IPs"
      table <koreanips>const file "/etc/pf/korean_IPs"
      table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }
      ….
      block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}

      How do I do this in pfSense?

      BTW, fantastic program!  I look forward to using it for years.</doubleclick></mediaforce></koreanips></chinaips></rfc1918></mediaforce></koreanips></chinaips></doubleclick>

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        1.3 will have an import function under Aliases. Until it's ready, you could cut and paste. If you create a sample alias, then go to backup and select aliases, you will have a template to work with.

        1 Reply Last reply Reply Quote 0
        • C
          CyberTiVo
          last edited by

          I'm looking forward to 1.3 :D  Thanks for info, I will give that a try.

          1 Reply Last reply Reply Quote 0
          • N
            nocer
            last edited by

            That's quite easy. Go to /etc/inc and open filter.inc by your favotie editor, vi just fine.
            First, look for "ssh" then vi will guide you to the line looks like the following;

            $natrules .= "\n#SSH Lockout Table\n";
                                    :
                                    :
                                    :
                                    :

            This, "$natrules .=" is what you need to modify(add/delete) as your desired rules to be
            implemented. Add the lines like this;

            $natrules .="table <doubleclick>const file "/etc/pf/doubleclick"\n";
            $natrules .="table <chinaips>const file "/etc/pf/china_IPs"\n";
            $natrules .="table <koreanips>const file "/etc/pf/korean_IPs"\n";
            $natrules .="table <mediaforce>persist { 2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24 }"\n";

            Now look for "ssh" once again and see the "$ipfrules .=" at this time. It looks like;

            $ipfrules .= "\n# SSH lockout\n";
                    $ipfrules .= "block in log quick proto tcp from <sshlockout_pf>to any port 22 label "sshlockout"\n";

            Add the following like this;

            $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n"

            *Be careful with escape special chars. Showing above are only for your reference and I don't know if
            I escaped chars properly. If anything is not properly escaped, pf would stop creating the rules.
            Again, pay attention for editting.

            Done with ZZ and reboot the box make the changes effective. After the box comes back online, the
            tables you have created can be checked by "pfctl -vvsT".

            Of course this is only quck and dirty hack for myself so the take your own risk for touching any system
            files. And, if you update to any snaps/releases, the file would over-written to the default. I would
            recommend backup the modified file for later use.

            That's enough for now. Happy hacking and it will definitely help you understand the pfSense.

            cheres,</doubleclick></mediaforce></koreanips></chinaips></rfc1918></sshlockout_pf></mediaforce></koreanips></chinaips></doubleclick>

            1 Reply Last reply Reply Quote 0
            • C
              CyberTiVo
              last edited by

              Thanks for the through instructions.  I have been out of town and have not had time to try this.  I will soon and let you know how it goes.

              1 Reply Last reply Reply Quote 0
              • U
                UltraLinuz
                last edited by

                I tried to get this working but I keep getting errors.

                These are the changes that I've made on line 811/3309:

                $natrules .= "\n#SSH Lockout Table\n";
                       $natrules .= "table <sshlockout>persist\n\n";

                $natrules .= "table <chinaips>const file "/etc/pf/china_IPs"\n";

                /* is SPAMD insalled? */
                        if (is_package_installed("spamd") == 1) {
                                $natrules .= "\n# spam table \n";

                $natrules .= "table <whitelist>persist\n";
                                $natrules .= "table <blacklist>persist\n";
                                $natrules .= "table <spamd>persist\n";
                                if(file_exists("/var/db/whitelist.txt"))

                and I added the following line as well on line 2661/3309:

                $ipfrules .= "\n# SSH lockout\n";
                        $ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";

                $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>}\n";

                $ipfrules .= "anchor "ftpproxy"\n";
                        $ipfrules .= "anchor "pftpx/*"\n";

                $ipfrules .= process_carp_rules();

                if (isset($config['filter']['rule'])) {

                It looks alright to me but maybe I got blind for my own errors.

                Any suggestions how to get this working?</chinaips></rfc1918></sshlockout></spamd></blacklist></whitelist></chinaips></sshlockout>

                1 Reply Last reply Reply Quote 0
                • N
                  nocer
                  last edited by

                  UltraLinuz,

                  Because CyberTiVo has already set up his own tables as shown in his very first post. Do you have such files before you touch anything about filter.inc ? All the tables are to be a plain text containing fairly simple address/mask pair per line as many as you want ;

                  aaa.bbb.ccc.ddd/mm
                            :
                  vvv.www.xxx.yyy/mm

                  So just create a table file, china_IPs/rfc1918 in your case, then you'll be fine. Consulting with man page for pfctl is also a very good idea.

                  cheers,

                  1 Reply Last reply Reply Quote 0
                  • F
                    frosty
                    last edited by

                    I know this is an older thread but I figured I'd post what looks to be working for me granted its only in testing on pfsense running in vmware.  I needed to test everything prior to loading on my production box.  I know very little about this stuff and have only been using pfsense for a short time.  I make no claims to its accuracy or whether it will work for anyone else.  Also I have no way of testing it to make sure its truly working but it appears to have loaded cleanly and took my edits.  Also pfctl -vvsT shows the items I entered.  I set it to log the stuff I am blocking and will monitor the log files to see if I get any hits.

                    First I grabbed the countries I wanted to block from http://www.ipdeny.com/ipblocks/data/countries/  At some point I'll need to figure out how to make a script that goes out and gets an updated copy weekly or monthly but that can wait for now.  I created a directory in /etc and put them there, /etc/zones.

                    Then I edited filter.inc using the examples from nocer.  I initially had problems with the syntax he had for $ipfrules .= "block in quick on $Ext_If from { <rfc1918>, <chinaips>, <koreanips>, <mediaforce>, <doubleclick>}\n" so I played around with it until I got it to load cleanly.  Below is what I currently have.  I might have been able to put it all on a single line in $ipfrules but this worked for me so I left it.

                    $natrules .= "\n#SSH Lockout Table\n";
                    $natrules .= "table <sshlockout>persist\n\n";
                    $natrules .= "table <china>persist file "/etc/zones/cn"\n";
                    $natrules .= "table <hongkong>persist file "/etc/zones/hk"\n";
                    $natrules .= "table <japan>persist file "/etc/zones/jp"\n";

                    –---------------------

                    $ipfrules .= "\n# SSH lockout\n";
                    $ipfrules .= "block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"\n\n";
                    $ipfrules .= "block in log quick from <china>\n";
                    $ipfrules .= "block in log quick from <hongkong>\n";
                    $ipfrules .= "block in log quick from <japan>\n";

                    Running pfctl -vvsT shows the following.

                    $ pfctl -vvsT
                    c-a-r- china
                    Addresses:   1572
                    Cleared:     Thu May  7 09:52:06 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 7                  Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- hongkong
                    Addresses:   652
                    Cleared:     Thu May  7 09:52:06 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 7                  Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- japan
                    Addresses:   2075
                    Cleared:     Thu May  7 09:52:06 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 7                  Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

                    Edit:  Well I put it on the production box and it appears to be getting hits and working.  Now to figure out what other countries I need to add, an updating script and I'll be happy for now.

                    $ pfctl -vvsT
                    -pa-r- bogons
                    Addresses:   38
                    Cleared:     Thu May  7 16:15:31 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 814                Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- china
                    Addresses:   1572
                    Cleared:     Thu May  7 16:15:31 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 1546               Match: 8                  ]
                    In/Block:    [ Packets: 8                  Bytes: 320                ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- hongkong
                    Addresses:   652
                    Cleared:     Thu May  7 16:15:31 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 1546               Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- japan
                    Addresses:   2075
                    Cleared:     Thu May  7 16:15:31 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 1544               Match: 2                  ]
                    In/Block:    [ Packets: 2                  Bytes: 122                ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
                    c-a-r- korea
                    Addresses:   704
                    Cleared:     Thu May  7 16:15:31 2009
                    References:  [ Anchors: 0                  Rules: 1                  ]
                    Evaluations: [ NoMatch: 1544               Match: 0                  ]
                    In/Block:    [ Packets: 0                  Bytes: 0                  ]
                    In/Pass:     [ Packets: 0                  Bytes: 0                  ]
                    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/Block:   [ Packets: 0                  Bytes: 0                  ]
                    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
                    Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

                    Edit:  I made a mistake from not knowing enough about pf.  I originally had const instead of persist for the table in $natrules section.  This worked but didnt let me update the tables.</japan></hongkong></china></sshlockout></japan></hongkong></china></sshlockout></doubleclick></mediaforce></koreanips></chinaips></rfc1918>

                    1 Reply Last reply Reply Quote 0
                    • J
                      jigpe
                      last edited by

                      Its nice to know these things but how to know if somebody is trying to access my box?

                      jigp
                      1.2.2

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.