# PF not working on FreeBSD 8.2?



## bloodhound (Mar 31, 2011)

Hi. I have some problems with pf. It is not filtering anything!

Basically what I've done: 

in /boot/loader.conf:

```
pf_load="YES"
pflog_load="YES"
```
in /etc/rc.conf:

```
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
```
I added this to /etc/pf.conf:


```
ext_if="em0"
table <fail2ban> persist "/etc/pf.table.fail2ban"
block in quick on $ext_if from <fail2ban> to any
```

I have installed fail2ban, but at this point I don't see it parsing anything like /var/log/auth.log. Tried logging int xxxx times with wrong users/pass but nothing.

In any case I added that ip 192.168.2.60 with 

```
smtpgw# pfctl -t fail2ban -T add 192.168.2.60
No ALTQ support in kernel
ALTQ related functions disabled
1/1 addresses added.
```
Still I can do anything I want from 192.168.2.60.

I even tried a 

```
block in all
```
 in pf.conf and nothing gets filtered.

Any tips? Cause I used pf a lot on FreeBSD 7 and it worked like a charm.


----------



## quintessence (Apr 1, 2011)

Hello,


```
table <fail2ban> persist [B]file[/B] "/etc/pf.table.fail2ban"
```

is the correct rule.
Probably your firewall rules are not loaded and PF is not started due to syntax error.

You can check the syntax with:
`# pfctl -nf /etc/pf.conf`

and the status with:
`# pfctl -si | head -n1`


----------



## bloodhound (Apr 1, 2011)

I had a wrong statement in my pf.conf, but still it seams that *fail2ban* is not working. It is not doing anything, I think it is not reading the auth.log file. I tried connecting with a wrong pass like 10 times. In auth.log I get :


```
Apr  1 16:23:41 smtpgw su: radu to root on /dev/pts/0
Apr  1 16:26:36 smtpgw sshd[17177]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:37 smtpgw last message repeated 2 times
Apr  1 16:26:40 smtpgw sshd[17182]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:42 smtpgw last message repeated 2 times
Apr  1 16:26:45 smtpgw sshd[17187]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:47 smtpgw last message repeated 2 times
Apr  1 16:26:50 smtpgw sshd[17192]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:53 smtpgw last message repeated 2 times
Apr  1 16:26:57 smtpgw sshd[17197]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:26:59 smtpgw last message repeated 2 times
Apr  1 16:27:03 smtpgw sshd[17202]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:27:05 smtpgw last message repeated 2 times
Apr  1 16:27:08 smtpgw sshd[17209]: error: PAM: authentication error for root from 192.168.2.60
Apr  1 16:27:10 smtpgw last message repeated 2 times
```

But the address does not get banned.

My fail2ban config:

jail.conf:

```
[DEFAULT]
backend         = auto
# bantime of -1 means forever, otherwise insert a time period in seconds
bantime = 600
# time span for which to increment the counter for login failures, 604800 seconds equals 1 week
findtime        = 604800
maxretry        = 5
# replace by the email address to which you'd like to get notes
destemail       = <radu.negrut@hostlogiclive.com>
# replace by your own IP addresses you do not want fail2ban to apply to, CIDR format possible too
ignoreip        = 127.0.0.1 10.124.175.5
logtargets      = /var/log/fail2ban.log

[ssh-pf]
# this .fail2ban-jail. is switched on and it combines the filter.d/sshd.conf with action.d/pf.conf
enabled = true
filter          = sshd
action          = pf
logpath = /var/log/auth.log
maxretry        = 5

[ssh-ddos]
# this .fail2ban-jail. is switched on and it combines the filter.d/sshd-ddos.conf with action.d/pf.conf
enabled = true
filter          = sshd-ddos
action          = pf
logpath = /var/log/auth.log
maxretry        = 3

action/pf.conf:

[Definition]
actionstart     =
actionstop      =
actioncheck     =
actionban       = pfctl -t fail2ban -T add <ip>
actionunban     = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>`

[Init]
port            = ssh
localhost       = 127.0.0.1
```
Any tips?


----------



## DutchDaemon (Apr 2, 2011)

bloodhound, you *really* need to start *formatting your posts* about now...


----------



## da1 (Apr 3, 2011)

Even if the following is not a direct solution to your problem, it is an alternative.
After several failed attempts @ fails2ban and other similar software, I decided to do it my way:

```
#!/bin/sh

#set -x

. /root/scripts/util/library.sh

ftpguard="/etc/ftpguard.pf"
table="ftpguard"


if [ ! -e $ftpguard ]
then
echo "$ftpguard does not exist. Exiting ..."
exit 1
fi


# Get all IP's that try to hijack the FTP port
if [ -z "$1" ];then
        echo "Usage: grep_ip_from_file <file_name>"
else
        $grep "\[ERROR\]\ Too\ many\ authentication\ failures" $1 | $awk '{print $6}' | $grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\
.[0-9]\{1,3\}'| $uniq | while read IP
                do
                   for i in $IP;
                                do
                                   if [ "$i" != "`$grep $i $ftpguard`" ];
                                then
                                   echo $i >> $ftpguard
                                   $pfctl -t $table -T add $i
                                fi
                                done
                done
fi
```

/root/scripts/util/library.sh contains:

```
dig="/usr/bin/dig"                                        # Full path to: dig
if [ ! -f $dig ];then
echo "Cannot find $dig executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi

grep="/usr/bin/grep"                                            # Full path to: grep
if [ ! -f $grep ];then
echo "Cannot find $grep executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi

awk="/usr/bin/awk"                                              # Full path to: awk
if [ ! -f $awk ];then
echo "Cannot find $awk executable in the mentioned path. Pls adjust the path in the script ..."
echo "Exiting ..."
exit 1
fi
```

I run it from crontab every 10 minutes.
The script can easily be modified to do what you require.

PS: This script is configured for working with pure-ftpd failed login attempts.


----------

