Sshlockout & webConfiguratorlockout rules

fsansfil

Hello,

I would like to change those rules from rules.debug

block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"</webconfiguratorlockout></sshlockout>

into…

block in log quick proto tcp from <sshlockout>to any tracker 1000000301 label "sshlockout"
block in log quick proto tcp from <webconfiguratorlockout>to any tracker 1000000351 label "webConfiguratorlockout"</webconfiguratorlockout></sshlockout>

My understanding is…anyone bruteforcing should be block to any connection once they are in the table...

Thanks.

F.

phil.davis

That would mean that someone who tried to ssh (unsuccessfully) from LAN to oyuor pfSense box 15 times would get their whole internet blocked for an hour. I guess that inflicts an automatic punishment on those local clients trying to mess with the router!

table <sshlockout>persist
table <webconfiguratorlockout>persist</webconfiguratorlockout></sshlockout> 

At the moment those tables are not exposed as aliases on the Firewall Rules GUI. Perhaps it would be useful if they were? Then you could add your own extra block rules to be more nasty to offenders.

If you think it is worthwhile, then add a feature request to RedMine. And then write the code :)

BBcan177

@fsansfil:

I would like to change those rules from rules.debug

Hi fsansfil,

You can modify the file    /etc/inc/filter.inc    and change it to meet your needs, but it will get overwritten on any firmware update. You could also create a dif file and create a "System Patch".

   2585         $ipfrules .= "\n# SSH lockout\n";
   2586         if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
   2587                 $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port ";
   2588                 $ipfrules .= $config['system']['ssh']['port'];
   2589                 $ipfrules .= " label \"sshlockout\"\n";
   2590         } else {
   2591                 if($config['system']['ssh']['port'] <> "")
   2592                         $sshport = $config['system']['ssh']['port'];
   2593                 else
   2594                         $sshport = 22;
   2595                 if($sshport)
   2596                         $ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} label \"sshlockout\"\n";
   2597         }
   2598
   2599         $ipfrules .= "\n# webConfigurator lockout\n";
   2600         if(!$config['system']['webgui']['port']) {
   2601                 if($config['system']['webgui']['protocol'] == "http")
   2602                         $webConfiguratorlockoutport = "80";
   2603                 else
   2604                         $webConfiguratorlockoutport = "443";
   2605         } else {
   2606                 $webConfiguratorlockoutport = $config['system']['webgui']['port'];
   2607         }
   2608         if($webConfiguratorlockoutport)
   2609                 $ipfrules .= "block in log quick proto tcp from <webconfiguratorlockout> to (self) port {$webConfiguratorlockoutport} label \"webConfiguratorloc
kout\"\n";</webconfiguratorlockout></sshlockout></sshlockout>

fsansfil

Thanks BB, very usefull!

Cheers.

F.