# [RESOLVED]  restrict ssh acces via IP pf config



## fred974 (Jun 2, 2014)

Hello everyone,

I just realized that my pf firewall rules are not actually doing what I thought they did.
My plan was to only allow ssh() access to the server only if the host IP address are 213.146.159.xxx, 82.31.44.xxx or 193.128.224.xx.
When playing with juicessh (Android app) I realized that I was allowed in the Server. This should not happen as my phone Random IP (not over wifi) is not set in the rules.

Could anyone help me to figure out where i went wrong please?

Thank you very much 

Here is my pf.conf file:

```
ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{22,1413}"
PORT_ZABBIX="{10059}"

table <fail2ban> counters persist file "/var/db/pf/bf.table"
table <workssh> { 213.146.159.xxx,82.31.44.xxx,193.128.224.xx }

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all
#block all IPs from the fail2ban blocklist without any further evaluation
block in quick on $ext_if from <fail2ban> to any

#pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <fail2ban> flush)

pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX
pass inet proto icmp all icmp-type $ICMP_TYPES keep state
# add IPs used for brute force attacks to table fail2ban, flush
pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
```


----------



## SirDice (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*



			
				fred974 said:
			
		

> ```
> pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
> ```


This line allows anyone in.


----------



## fred974 (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*

Hi @SirDice,

If I remove that line, how can I send all the IPs used for brute force attacks to the fail2ban table ?

Thank you


----------



## fred974 (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*

I removed the line bellow and I was still able to connect via my phone 

```
pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
```


----------



## SirDice (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*



			
				fred974 said:
			
		

> I removed the line bellow and I was still able to connect via my phone


Did you reload the configuration?

`pfctl -f /etc/pf.conf`


----------



## wblock@ (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*

`service pf reload` is the same thing but may be easier to remember.


----------



## fred974 (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*



			
				SirDice said:
			
		

> fred974 said:
> 
> 
> 
> ...



No I didn't , I rebooted the server instead.
I ran the command `pfctl -f /etc/pf.conf` and I got the following

```
root@FREEBSDHOST:~ # pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCADDRULE: Operation not supported by device
```

My understanding of that error message is that the binaries I am using are out of sync with the kernel... Is that correct?
How can I fix that?


```
root@FREEBSDHOST:~ # pfctl -si
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:00:15           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                           58932         3928.8/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                              58932         3928.8/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
root@kryten:~ #
```
I assume from the output above that pf is running..?


----------



## SirDice (Jun 3, 2014)

*Re: restrict ssh acces via IP pf config*



			
				fred974 said:
			
		

> If I remove that line, how can I send all the IPs used for brute force attacks to the fail2ban table ?


There won't be any because you limited access to the SSH port. Nobody can run a brute-force attack against your SSH if they can't connect.

Only the IP addresses you allowed could, potentially, brute-force their way in. If you want to keep fail2ban you need to add it to the line that does allow access.


----------



## fred974 (Jun 4, 2014)

*Re: restrict ssh acces via IP pf config*



			
				SirDice said:
			
		

> fred974 said:
> 
> 
> 
> ...



Ok I understand this point. but even by removin that line any one from any IP can still connect to the box..
Is there anything else that I missed?
Is the error message the cause of my problem?


----------



## fred974 (Jun 14, 2014)

*Re: restrict ssh acces via IP pf config*

Hi guys,

I still haven't manged to sort my problem with pf.conf
My curent setup is 
pf.conf

```
ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{22,1413}"
PORT_ZABBIX="{10059}"

table <fail2ban> counters persist file "/var/db/pf/bf.table"
table <workssh> { 213.146.159.xxx,82.31.44.xxx,193.128.224.xx }

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all
#block all IPs from the fail2ban blocklist without any further evaluation
block in quick on $ext_if from <fail2ban> to any

#pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <fail2ban> flush)

pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX
pass inet proto icmp all icmp-type $ICMP_TYPES keep state
```

All I want to do is to limit access to the IP address from the <workssh> table

Thank you


----------

