# Whitelisting?



## iMer (Feb 19, 2011)

I use Pf to avoid DDOS attack
The problem is that the homepage (online check) gets blocked 
So i tried to pass the homepage, but that does not work
pf.conf:

```
# my external card and internal card, as macros
ext_if="re0"
int_if="lo0"
icmp_types="echoreq"

# Ports
tcp_ports = "{ 9000, 9200, 9300, 9400, 2002, 18099, 29911, 29910}"
udp_ports = "{ 9000, 9200, 9300, 9400, 2002}"
homepage = "{192.168.0.102}"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# filter rules - catch-all block
block in

# let's kill the bad guys
table <abusive_hosts> persist
block quick from <abusive_hosts>

# let through all verified traffic
pass out keep state

# ssh blockage rule
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
# allow homepage tcp access to everything

pass in on $ext_if proto tcp to $homepage 

# allow ports
pass in on $ext_if proto tcp to ($ext_if) port $tcp_ports flags S/SA keep state \
        (max-src-conn 25, max-src-conn-rate 6/2, overload <abusive_hosts> flush global)
pass in on $ext_if proto udp to ($ext_if) port $udp_ports

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if
```

How do i pass the homepage right/avoid the homepage getting blocked?


----------



## graudeejs (Feb 19, 2011)

```
pass in on $ext_if proto tcp [red]to[/red] $homepage
```
Should that be [red]*from*[/red]?


----------



## iMer (Feb 19, 2011)

If i change it to "from" everything gets blocked
(the support is nearly freaking out -_-)


----------



## graudeejs (Feb 20, 2011)

And what about [red]keep state[/red] 

And what do you mean about support freaking out? It's volunteer based community. No one pays us, and we have or own problems, so don't expect answers in 5 minutes. 

Also you didn't explain how your homepage checks work  So I'm guessing blindly


----------



## iMer (Feb 20, 2011)

killasmurf86 said:
			
		

> And what about [red]keep state[/red]
> 
> And what do you mean about support freaking out? It's volunteer based community. No one pays us, and we have or own problems, so don't expect answers in 5 minutes.
> 
> Also you didn't explain how your homepage checks work  So I'm guessing blindly


What do you mean with "keep state"?
I don't know pf much

I ment with "the support is nearly freaking out" that the support of my hoster is pissed because they have to turn the firewall off so often
& i never expected answers in 5 minutes 
The homepage opens the port and if there is no timeout it is online


----------



## vand777 (Feb 20, 2011)

iMer said:
			
		

> What do you mean with "keep state"?



Taken from http://www.openbsd.org/faq/pf/filter.html:

One of Packet Filter's important abilities is "keeping state" or "stateful inspection". Stateful inspection refers to PF's ability to track the state, or progress, of a network connection. By storing information about each connection in a state table, PF is able to quickly determine if a packet passing through the firewall belongs to an already established connection. If it does, it is passed through the firewall without going through ruleset evaluation.

Keeping state has many advantages including simpler rulesets and better packet filtering performance. PF is able to match packets moving in either direction to state table entries meaning that filter rules which pass returning traffic don't need to be written. And, since packets matching stateful connections don't go through ruleset evaluation, the time PF spends processing those packets can be greatly lessened.

When a rule creates state, the first packet matching the rule creates a "state" between the sender and receiver. Now, not only do packets going from the sender to receiver match the state entry and bypass ruleset evaluation, but so do the reply packets from receiver to sender.

All pass rules automatically create a state entry when a packet matches the rule. This can be explicitly disabled by using the no state option.


```
pass out on fxp0 proto tcp from any to any
```

This rule allows any outbound TCP traffic on the fxp0 interface and also permits the reply traffic to pass back through the firewall. Keeping state significantly improves the performance of your firewall as state lookups are dramatically faster than running a packet through the filter rules.

The modulate state option works just like keep state except that it only applies to TCP packets. With modulate state, the Initial Sequence Number (ISN) of outgoing connections is randomized. This is useful for protecting connections initiated by certain operating systems that do a poor job of choosing ISNs. To allow simpler rulesets, the modulate state option can be used in rules that specify protocols other than TCP; in those cases, it is treated as keep state.

Keep state on outgoing TCP, UDP, and ICMP packets and modulate TCP ISNs:


```
pass out on fxp0 proto { tcp, udp, icmp } from any to any modulate state
```

Another advantage of keeping state is that corresponding ICMP traffic will be passed through the firewall. For example, if a TCP connection passing through the firewall is being tracked statefully and an ICMP source-quench message referring to this TCP connection arrives, it will be matched to the appropriate state entry and passed through the firewall.

The scope of a state entry is controlled globally by the state-policy runtime option and on a per rule basis by the if-bound and floating state option keywords. These per rule keywords have the same meaning as when used with the state-policy option. Example:


```
pass out on fxp0 proto { tcp, udp, icmp } from any to any modulate state (if-bound)
```

This rule would dictate that in order for packets to match the state entry, they must be transiting the fxp0 interface.​


----------



## vand777 (Feb 20, 2011)

iMer said:
			
		

> I don't know pf much


http://www.openbsd.org/faq/pf/index.html (the only problem is that this FAQ describes a newer version of PF than that used by FreeBSD but most of things are the same)

"The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall 2nd Edition"

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html


----------



## iMer (Feb 20, 2011)

Solved:

```
table <goodguys> { 212.47.212.190 }
pass in quick from <goodguys> to any keep state
```
Thanks to all who helped me


----------

