Pf filtering with tables

S3TH76 · 03-09-2016, 03:41 AM

Hi!

Can anyone help me with correct syntax on filtering rules with PF (on FreeBSD) and with tables?

The rules that I want to make it work are for blocking blocks of IP's by country (from IPDeny).

here it is:

table <blck_zone-br_1> persist file "/path/to/file - br.zone"
table <blck_zone-br_2> persist file "/path/to/file - br-aggregated.zone"

There are 2 file used to block brazilians IP's: br.zone & br-aggregated.zone
Below is the syntax that is working for blocking brazilians IP's and offcourse it is too lenghty for blocking tcp, udp, icmp, icmp6 protocols that came inbound from blocked zone.
...
block in quick on IF_NET0 proto tcp from <blck_zone-br_1> to any
block in quick on IF_NET0 proto udp from <blck_zone-br_1> to any
block in quick on IF_NET0 proto icmp from <blck_zone-br_1> to any
block in quick on IF_NET0 proto icmp6 from <blck_zone-br_1> to any

block in quick on IF_NET0 proto tcp from <blck_zone-br_2> to any
block in quick on IF_NET0 proto udp from <blck_zone-br_2> to any
block in quick on IF_NET0 proto icmp from <blck_zone-br_2> to any
block in quick on IF_NET0 proto icmp6 from <blck_zone-br_2> to any
###
Ok, I tried something like:

block in quick on IF_NET0 all from <blck_zone-br_1> to any
block in quick on IF_NET0 all from <blck_zone-br_2> to any

...but pf says: syntax error and I don't know where or what I am doing wrong...

Please help me.

Ser Olmy · 03-09-2016, 10:00 AM

The protocol match is optional. Have you tried just leaving it out altogether? (block in quick on IF_NET0 from <blck_zone-br-1> to any).

S3TH76 · 03-10-2016, 01:10 AM

No. So, if understand correctly with your rule: block in quick on IF_NET0 from <blck_zone-br-1> to any automatically are blocked any connections from any protocols disregarding if it is tcp, udp, icmp, icmp6, ipv4, ipv6, bgp, etc?

I found an detailed example of rules of PF from wich I extrapolate my rule that now look like this:

block in quick on IF_NET0 proto {tcp, udp, icmp, icmp6} from <blck_zone-br-1> to any

but you are right your rule is much shorter, simple and elegant. I just want to be sure that is blocking ALL PROTOCOLS from any connection attempt from that zone because I will expand this rule at blocking russians, chinese, etc.

So a lighter ruleset for matching in PF filtering but with the same efect or more powerfull efect is better for my server.

Thank you.