can't submit a post flagged for spam



  • So why not just tell us a reason, what is the bad syntax, what the $$##@!))#! do you not like???? and not make all of us play this stupid game. Isn't this supposed to be a forum for help, not hurdles?


  • Netgate Administrator

    What does it show you?
    Can you link to what you are trying to post somewhere else so we can see it?
    Your forum should mean you are not subjected to the usual filtering there. Unless that has just been added to you after you posted this.

    Steve



  • Thanks Steve, sorry for the rant. I found a kind person offering help and the forum failed me. Just frustrated. Here's the text:

    http://hippiepete.org/netgate.forum.fail.txt


  • Netgate Administrator

    Hmm, nothing that dramatic there. I thought you might have tables full of fqdns.
    You mind if I post it as a test?

    Steve



  • @stephenw10 I don't mind at all, thanks!


  • Netgate Administrator

    Test post with code.....

    
    12:43:04.671567 IP 192.168.42.89.43495 > 192.168.42.1.53: 39201+ A? bbvds.dtvbb.tv. (32)
    12:43:04.855491 IP 192.168.42.1.53 > 192.168.42.89.43495: 39201 1/0/0 A 99.193.64.55 (48)
    12:43:04.862036 IP 192.168.42.89.41744 > 99.193.64.55.80: Flags [S], seq 2301156042, win 14600, options [mss 1460,sackOK,TS val 1066875374 ecr 0,nop,wscale 7], length 0
    12:43:04.862116 IP 99.193.64.55.80 > 192.168.42.89.41744: Flags [S.], seq 1004570305, ack 2301156043, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 324544899 ecr 1066875374], length 0
    12:43:04.867743 IP 192.168.42.89.41744 > 99.193.64.55.80: Flags [.], ack 1, win 115, options [nop,nop,TS val 1066875378 ecr 324544899], length 0
    12:43:04.882898 IP 192.168.42.89.47655 > 239.255.255.252.47655: UDP, length 118
    12:43:04.884147 IP 192.168.42.89.47655 > 239.255.255.252.47655: UDP, length 359
    12:43:04.963282 IP 192.168.42.89.41744 > 99.193.64.55.80: Flags [P.], seq 1:100, ack 1, win 115, options [nop,nop,TS val 1066875475 ecr 324544899], length 99: HTTP: GET /download/connectivity.ats HTTP/1.0
    12:43:04.963344 IP 99.193.64.55.80 > 192.168.42.89.41744: Flags [.], ack 100, win 512, options [nop,nop,TS val 324545000 ecr 1066875475], length 0
    12:43:04.973397 IP 99.193.64.55.80 > 192.168.42.89.41744: Flags [P.], seq 1:372, ack 100, win 513, options [nop,nop,TS val 324545011 ecr 1066875475], length 371: HTTP: HTTP/1.1 302 Found
    12:43:04.973590 IP 99.193.64.55.80 > 192.168.42.89.41744: Flags [F.], seq 372, ack 100, win 513, options [nop,nop,TS val 324545011 ecr 1066875475], length 0
    12:43:04.975470 IP 192.168.42.89.41744 > 99.193.64.55.80: Flags [.], ack 372, win 123, options [nop,nop,TS val 1066875490 ecr 324545011], length 0
    12:43:04.977147 IP 192.168.42.89.41744 > 99.193.64.55.80: Flags [F.], seq 100, ack 373, win 123, options [nop,nop,TS val 1066875491 ecr 324545011], length 0
    12:43:04.977219 IP 99.193.64.55.80 > 192.168.42.89.41744: Flags [.], ack 101, win 513, options [nop,nop,TS val 324545014 ecr 1066875491], length 0
    12:43:04.995384 IP 192.168.42.89 > 99.193.244.254: ICMP echo request, id 15490, seq 0, length 64
    

    And I wasn't sure how to restrict to a specific interface (-i didn't seem to make a difference), so here's my full ruleset:

    pfctl -sr
    scrub on igb0 all fragment reassemble
    scrub on igb1 all fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    block drop in quick inet6 all label "Block all IPv6"
    block drop out quick inet6 all label "Block all IPv6"
    block drop in quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in inet all label "Default deny rule IPv4"
    block drop out inet all label "Default deny rule IPv4"
    block drop in inet6 all label "Default deny rule IPv6"
    block drop out inet6 all label "Default deny rule IPv6"
    block drop quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop quick from <snort2c> to any label "Block snort2c hosts"
    block drop quick from any to <snort2c> label "Block snort2c hosts"
    block drop in quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
    block drop in quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout"
    block drop in quick from <virusprot> to any label "virusprot overload table"
    pass in quick on igb1 inet proto tcp from any to 192.168.42.1 port = 8003 flags S/SA keep state (sloppy)
    pass in quick on igb1 inet proto tcp from any to 192.168.42.1 port = 8002 flags S/SA keep state (sloppy)
    pass out quick on igb1 proto tcp all flags any keep state (sloppy)
    pass in quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
    pass out quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
    block drop in log quick on igb0 from <bogons> to any label "block bogon IPv4 networks from WAN"
    block drop in on ! igb0 inet from 192.168.1.0/24 to any
    block drop in inet from 192.168.1.2 to any
    block drop in on igb0 inet6 from fe80::208:a2ff:fe0b:a81e to any
    block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    block drop in on ! igb1 inet from 192.168.42.0/24 to any
    block drop in inet from 192.168.42.1 to any
    block drop in on igb1 inet6 from fe80::1:1 to any
    pass in quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on igb1 inet proto udp from any port = bootpc to 192.168.42.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on igb1 inet proto udp from 192.168.42.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out route-to (igb0 192.168.1.1) inet from 192.168.1.2 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on igb1 proto tcp from any to (igb1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on igb1 proto tcp from any to (igb1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on igb1 proto tcp from any to (igb1) port = ssh flags S/SA keep state label "anti-lockout rule"
    pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
    anchor "userrules/*" all
    pass out quick on igb0 inet proto tcp from 192.168.42.106 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass out quick on igb0 inet proto udp from 192.168.42.106 to <negate_networks> keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass out quick on igb0 route-to (igb0 192.168.1.1) inet proto tcp from 192.168.42.106 to any flags S/SA keep state label "USER_RULE: Bypass QOS limiters for voipey"
    pass out quick on igb0 route-to (igb0 192.168.1.1) inet proto udp from 192.168.42.106 to any keep state label "USER_RULE: Bypass QOS limiters for voipey"
    pass out quick on igb0 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" dnqueue(2, 1)
    pass out quick on igb0 inet proto udp from any to <negate_networks> keep state label "NEGATE_ROUTE: Negate policy routing for destination" dnqueue(2, 1)
    pass out quick on igb0 route-to (igb0 192.168.1.1) inet proto tcp all flags S/SA keep state label "USER_RULE: QOS limiters for ISP link" dnqueue(2, 1)
    pass out quick on igb0 route-to (igb0 192.168.1.1) inet proto udp all keep state label "USER_RULE: QOS limiters for ISP link" dnqueue(2, 1)
    pass in log quick on igb1 inet proto tcp from 192.168.42.90 to 23.111.187.139 flags S/SA keep state label "USER_RULE: allow the G4 to voip.ms"
    pass in log quick on igb1 inet proto udp from 192.168.42.90 to 23.111.187.139 keep state label "USER_RULE: allow the G4 to voip.ms"
    pass in log quick on igb1 inet proto tcp from 192.168.42.92 to 23.111.187.139 flags S/SA keep state label "USER_RULE: allow tabby to voip.ms"
    pass in log quick on igb1 inet proto udp from 192.168.42.92 to 23.111.187.139 keep state label "USER_RULE: allow tabby to voip.ms"
    pass in quick on igb1 inet proto tcp from 192.168.42.99 to any port = domain flags S/SA keep state label "USER_RULE: DNS allow minipenguin to query external dns"
    pass in quick on igb1 inet proto udp from 192.168.42.99 to any port = domain keep state label "USER_RULE: DNS allow minipenguin to query external dns"
    pass in quick on igb1 inet proto tcp from any to 192.168.42.1 port = domain flags S/SA keep state label "USER_RULE: DNS allow dns to underdog"
    pass in quick on igb1 inet proto udp from any to 192.168.42.1 port = domain keep state label "USER_RULE: DNS allow dns to underdog"
    block drop in log quick on igb1 inet proto tcp from any to any port = domain label "USER_RULE: DNS block dns from LAN to everything else"
    block drop in log quick on igb1 inet proto udp from any to any port = domain label "USER_RULE: DNS block dns from LAN to everything else"
    block drop in quick on igb1 inet from <LAN_blocklist> to any label "USER_RULE: Block the LAN_blocklist from connecting out"
    pass in quick on igb1 inet from 192.168.42.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    anchor "tftp-proxy/*" all
    
    and NAT:
    pfctl -sn
    no nat proto carp all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on igb0 inet from 192.168.42.96 to any -> 192.168.1.2 static-port
    nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.1.2 static-port
    nat on openvpn inet from 127.0.0.0/8 to any port = isakmp -> (openvpn) round-robin static-port
    nat on igb0 inet from 127.0.0.0/8 to any -> 192.168.1.2 port 1024:65535
    nat on openvpn inet from 127.0.0.0/8 to any -> (openvpn) port 1024:65535 round-robin
    nat on igb0 inet from 192.168.42.0/24 to any port = isakmp -> 192.168.1.2 static-port
    nat on openvpn inet from 192.168.42.0/24 to any port = isakmp -> (openvpn) round-robin static-port
    nat on igb0 inet from 192.168.42.0/24 to any -> 192.168.1.2 port 1024:65535
    nat on openvpn inet from 192.168.42.0/24 to any -> (openvpn) port 1024:65535 round-robin
    nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.1.2 static-port
    nat on igb0 inet from 192.168.1.1 to any port = isakmp -> 192.168.1.2 static-port
    nat on igb0 inet from 192.168.42.0/24 to any port = isakmp -> 192.168.1.2 static-port
    nat on igb0 inet6 from ::1 to any port = isakmp -> (igb0) round-robin static-port
    nat on igb0 inet from 127.0.0.0/8 to any -> 192.168.1.2 port 1024:65535
    nat on igb0 inet from 192.168.1.1 to any -> 192.168.1.2 port 1024:65535
    nat on igb0 inet from 192.168.42.0/24 to any -> 192.168.1.2 port 1024:65535
    nat on igb0 inet6 from ::1 to any -> (igb0) port 1024:65535 round-robin
    no rdr proto carp all
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr-anchor "miniupnpd" all
    

  • Netgate Administrator

    Hmm, seemed happy now. Are you still unable to post it?



  • @stephenw10 Nope. Just tried and got the spam warning. I'll just use a gist/etherpad/whatever. It's gonna be way easier I'm sure. :)

    Much appreciate the help!!


  • LAYER 8 Moderator

    As annoying as it is, that the plugin reacts that way, thanks and kudos for your reaction @h1pp13p373 coming from ranting (we all do that from time to time ;)) to trying to work and test it out! Hopefully there'll by some possibility to whitelist things in the future. 👍


Log in to reply