# [Help 7.2] Firewall to block all non-German IP's



## IgorGlock (Feb 19, 2010)

Hello together!

I'm from germany and I have some problems witch "denal of service" to my SSH and many other TCP/UDP Ports from other countries :\


Who know a Firewall to block them? :f


----------



## Ruler2112 (Feb 19, 2010)

There was a discussion on this not too long ago.  There's a site that keeps lists of IP address ranges assigned to different countries - you basically just create a table and block the addresses in it with pf.


----------



## IgorGlock (Feb 19, 2010)

yeah...

but I'm 16 years old and I need help with them...
Site for ip rages: http://services.ce3c.be/ciprg/
Can you make a manual or give a site?

sorry my english is very bad


----------



## Ruler2112 (Feb 19, 2010)

This post should help you out.  The pf rules you want are in the first post.  I also wrote a script that will keep the text file listing the IPs updated with whatever one you want on the internet.


----------



## IgorGlock (Feb 19, 2010)

hmmn... that's not bad but it's not for me 

how can I block all non-German ip's ... not how can I block bad ip's 

if one people from china like to join my teamspeak-server or my game-server he must get a block. (very bad english  )


----------



## vivek (Feb 20, 2010)

You need block all and than only allow German IPs. Share you existing pf.conf.


----------



## IgorGlock (Feb 20, 2010)

my existing pf.conf:

```
*beep*
```

^ clean :\


----------



## tkjacobsen (Feb 20, 2010)

The "TABLES" section in the pf.conf(5) man page explains how files can be used to list ip addresses.

Here's my own pf.conf modified for your needs:

```
tcp_services = "{ ssh }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
```

It basically blocks all incoming trafick except ssh from german ipaddresses listed in /etc/german. All outgoing traffic is also acceptet.


----------



## IgorGlock (Feb 20, 2010)

thank you ver very mutch!

and how can I block all services? Not only SSH? 
	
	



```
"tcp_services = "{ ssh }"
```
?:stud


----------



## IgorGlock (Feb 20, 2010)

EDiT: and how can I block all services? Not only SSH? :\

:e


----------



## DutchDaemon (Feb 20, 2010)

Read that ruleset again. *Everything* is blocked, except ssh access from Germany.


----------



## IgorGlock (Feb 20, 2010)

hmmn... and how can I allow port: 1337 for teamspeak server or GTA MTA server(gameserver)?


----------



## DutchDaemon (Feb 20, 2010)

Add it to the tcp_services macro (if it's tcp, else create a udp_services macro and make a new rule) and reload the ruleset.

Don't ask how, it's all in the pf.conf(5) manual, and in the FAQ. Do your homework (that's what 16 year-olds are supposed to do ..).


----------



## IgorGlock (Feb 20, 2010)

Is that right?
I like to open for only german ip's port: 27015(Counterstrike) + 1337(Teamspeak) + 22(SSH)

rc.conf


```
pf_enable="YES"
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"
```

pf1.conf:

```
tcp_services = "{ ssh }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
```

pf2.conf:

```
tcp_services = "{ 1337, 27015 }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
```

but my "/etc/german" file doesn't exist?! Can someone give me a examle?
Can I generate it witch http://services.ce3c.be/ciprg/ ?


----------



## DutchDaemon (Feb 20, 2010)

Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it. 

You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like *1.2.3.4* or *1.2.3.4/24*. Ranges (*1.2.3.4-1.2.3.5*) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.

BTW, you can't do this:


```
pf_rules="/path/to/pf1.conf"
pf_rules="/path/to/pf2.conf"
```

There can only be one of everything, or the second one will overrule the first one. In this case, only pf2.conf will be loaded, not pf1.conf.


----------



## IgorGlock (Feb 20, 2010)

hmmn... and can you give me exmple for the "format" :\
_sry if you can't understand "format"_

is that right?
http://services.ce3c.be/ciprg/?countrys=GERMANY%2C&format=by+input&format2={startip}%0D%0A{endip}%0D%0A


----------



## DutchDaemon (Feb 20, 2010)

No, that won't work. Format examples were given above. It's either one IP address per line (not workable with millions of IP addresses), or one cidr range per line (like 53.0.0.0/8, which is the first entry of that list, i.e. 53.0.0.0-53.255.255.255).


----------



## DutchDaemon (Feb 20, 2010)

A bit of Googling turned this up:
http://www.countryipblocks.net/tag/cidr/

Choosing Germany and CIDR will give you a list you can put in a pf table without problems. I cannot vouch for the accuracy of this data.


----------



## IgorGlock (Feb 20, 2010)

hmmmn... my IP: 84.163.*.*
but it it isn't there...  :e:e 

thank you


----------



## DutchDaemon (Feb 20, 2010)

Ah, cidr is a new concept to you:

84.128.0.0/10 = 84.128.0.0 - 84.191.255.255

net-mgmt/cidr might help.


----------



## IgorGlock (Feb 20, 2010)

hmmn... it doesn't work :r
My IPÂ² is: 88.198.*.*

I have block this rage: 88.198.0.0/16 and after 1reboot I can use SSH


----------



## DutchDaemon (Feb 20, 2010)

How are you blocking it? And why? You wanted German IPs to have access, right? That table <german> was used to allow access ('pass'), not block it. What does your ruleset look like? What does [cmd=]pfctl -sr[/cmd] look like? And why reboot when you can simply reload the ruleset?


----------



## IgorGlock (Feb 20, 2010)

I like to test it witch my other PC witch other ipÂ²


```
pfctl -sr :
No ALTQ support in kernel
ALTQ related functions disabled
```

and 
	
	



```
pfctl -F all -f /etc/pf2.conf :

No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded
```

hehe: http://forums.freebsd.org/showpost.php?p=68957&postcount=2


----------



## IgorGlock (Feb 21, 2010)

1 Question:

My LAN card supports ALTQ (realtek) but I don't know how can I install "options ALTQ" 

http://www.freebsd.org/cgi/man.cgi?query=altq&sektion=4
^ can't help me :\


----------



## sniper007 (Feb 22, 2010)

http://www.openbsd.org/faq/pf/queueing.html

READ, READ, READ again and again 

if you can't read freebsd is not for you


all of us need to read and study manuals and handbooks


----------



## DutchDaemon (Feb 22, 2010)

( in this case, you need to build your own kernel, because ALTQ is not in the GENERIC kernel -> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html )


----------



## sniper007 (Feb 22, 2010)

DutchDaemon said:
			
		

> Of course /etc/german doesn't exist. FreeBSD doesn't magically contain a table with German IP addresses. You'll have to create it.
> 
> You cannot use the http://services.ce3c.be/ciprg/?countrys=GERMANY data directly, because IP addresses need to be listed like *1.2.3.4* or *1.2.3.4/24*. Ranges (*1.2.3.4-1.2.3.5*) do not work. There's probably some way to convert the range data into cidr data, but I have nothing ready.




http://www.ipdeny.com/ipblocks/data/countries/de.zone


----------



## IgorGlock (Feb 22, 2010)

must I put option ALTQ in to: /boot/device.hints ?


----------



## Ruler2112 (Feb 22, 2010)

IgorGlock said:
			
		

> rc.conf
> 
> 
> ```
> ...



You should only have one pf_rules in your rc.conf.




			
				IgorGlock said:
			
		

> pf.conf:
> 
> ```
> tcp_services = "{ ssh, 1337, 27015 }"
> ...



Notice how I've included ssh in the TCP services allowed through from the IPs in the german table...




			
				IgorGlock said:
			
		

> but my "/etc/german" file doesn't exist?! Can someone give me a examle?
> Can I generate it witch http://services.ce3c.be/ciprg/ ?





			
				sniper007 said:
			
		

> http://www.ipdeny.com/ipblocks/data/countries/de.zone



You need to somehow create the /etc/german file.  It's a list of IP addresses in CIDR format, as DD indicated.  This information could easily change over time as IP ranges are assigned/reassigned, so you'll probably want to update the file periodically.  If you use the script I linked to in my second post, it'll fetch and update the firewall table for you automatically.  (Just set the variables appropriately and set it up to run periodically.)




			
				IgorGlock said:
			
		

> must I put option ALTQ in to: /boot/device.hints ?



I went through adding ALTQ to my kernel a few months ago - there are a couple really good posts in there that describe exactly what you need to do.


----------



## IgorGlock (Feb 22, 2010)

but: /usr/src/sys/i386/conf: No such file or directory.

:stud I hate this


----------



## Ruler2112 (Feb 22, 2010)

IgorGlock said:
			
		

> but: /usr/src/sys/i386/conf: No such file or directory.
> 
> :stud I hate this



You probably didn't install source code with your system.  Confirm with [cmd=]ls -l /usr/src[/cmd] - if empty, that's your problem.  [cmd=]/usr/sbin/sysinstall[/cmd] will re-run the initial setup program.  You can also use [cmd=]pkg_add[/cmd] to add the source packages from the CD/DVD.


----------



## IgorGlock (Feb 22, 2010)

hmn... and what of command can help me? "pkg_add source code" but it doesn't wort 

I know I'm stupid! :\


----------



## Ruler2112 (Feb 22, 2010)

Check out the handbook.


----------



## DutchDaemon (Feb 23, 2010)

Igor, you're currently trying to climb Mount Everest in your shorts, and you're setting yourself up for a totally nuked system if you go on like this. 

Do you think that the ALTQ message you saw was some type of _error_, and that you *MUST* install ALTQ to get rid of it? You *don't*. It's _not an error_. If you don't need outbound traffic queueing, leave your system alone. 

If your only open port on the Internet side is ssh, install one of the bruteforce-blocker ports, and set your PF to pass everything out, and nothing but ssh in (forget about the /etc/german stuff too). Let the bruteforce-blocker do the rest by adjusting a PF table all by itself.

security/sshguard-pf
security/bruteforceblocker
security/sshit


----------



## IgorGlock (Feb 23, 2010)

of course can I install + build my "Custom Kernel" and now I get other error...


```
# pfctl -F all -f /etc/pf2.conf
rules cleared
nat cleared
0 tables deleted.
altq cleared
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
/etc/pf2.conf:12: syntax error
pfctl: Syntax error in config file: pf rules not loaded
```

What is wrong?

here my config file:


```
tcp_services = "{ 21075, 1337, 3306 }"
table <german> persist file "/etc/german"

set block-policy drop
set skip on lo

scrub in

block log all
pass proto icmp
pass in proto tcp from <german> to any port $tcp_services
pass out
```

Line 12? ....


----------



## DutchDaemon (Feb 23, 2010)

Hit [enter] after pass out.


----------



## IgorGlock (Feb 23, 2010)

hmmn.. it work's now but...

I have services "ssh". I changed my port and now I can't connect ... :-( but it's okey... I have a backup from MySQL DB


----------



## IgorGlock (Feb 23, 2010)

1 Question!

If I like to block only port 1337 & 21075 for NonGerman IPs ... how can I do that?


----------



## DutchDaemon (Feb 23, 2010)

Something like 
	
	



```
block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }
```
 might work.


----------



## IgorGlock (Feb 24, 2010)

DutchDaemon said:
			
		

> Something like
> 
> 
> 
> ...



Like this?

pf1.conf:

```
table <german> persist file "/etc/german"
block in quick proto { tcp udp } from ! <german> to any port { 1337 21075 }
pass out
```

is that right? :\


----------



## DutchDaemon (Feb 24, 2010)

That's right. Note that you're allowing everything else from anywhere else.


----------



## paean (Feb 25, 2010)

I don't normally do this, but I just can't help myself anymore.

*IgorGlock*: I have to give you credit... you are a persistent fellow. Reading this thread is like watching Muhammad Ali trying to solve a rubix cube. 

When (note I didn't say "If") you get pf selectively denying all non-german IPs, I hope you will continue to pursue a broader understanding of how FreeBSD operates. 

And for DD's sanity, hopefully you're able to learn much of that from the Handbook. ( =


\\ Final note: you won't feel stupid if you learn the basics before you start asking tough questions. Go easy on yourself. ( ;


----------

