# learning pf and I think I've derped somewhere



## sam7931 (May 28, 2012)

So I'm used to IPF and I'm trying to start to put together my first basic pf rule set and I think I've derped up somewhere but I'm not seeing it.  My box is sitting on my internal LAN and my router is portforwarding port 80 and 443 traffic to it.  I'd like to only allow select predefined IPs to certain services.  I'm also blocking all non-US based IPs just in case I decide to ever carve out more lenient rules in the future.  My rule set is:


```
%cat /etc/pf.conf
#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.4.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#ext_if="ext0"
int_if="re0"
lan="192.168.1.0/24"
safeip="safeip.dyndns.org/32"
table <us-ip> persist file "/etc/pf.usonlyips"
#table <spamd-white> persist

#set skip on lo

scrub in all

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp

#lets start by blocking all ips then passing US based ips
block in on $int_if from any to any
pass in on $int_if from <us-ip> to any

# i can talk to anyone
pass out on $int_if to any

# i don't listen to many people though
pass in quick on $int_if from $lan
pass in quick on $int_if proto tcp from $safeip to $int_if port ssh
pass in quick on $int_if proto tcp from $safeip to $int_if port https

## No restrictions on Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all

# no match so far time to block
block in quick log all
```

However this doesn't appear to be working as I'm seeing entries such as:

```
May 27 17:06:16 testbox sshd[13000]: Invalid user staff from 122.70.128.5
May 27 17:06:18 testbox sshd[13002]: Invalid user sales from 122.70.128.5
May 27 19:57:38 testbox sshd[14898]: Invalid user nagios from 210.245.90.176
May 27 19:57:45 testbox sshd[14900]: Invalid user nagios from 210.245.90.176
May 27 19:57:54 testbox sshd[14902]: Invalid user nagios from 210.245.90.176
May 27 19:58:01 testbox sshd[14904]: Invalid user nagios from 210.245.90.176
May 27 23:01:39 testbox sshd[17070]: Invalid user virus from 220.165.5.7
May 27 23:01:41 testbox sshd[17072]: Invalid user cyrus from 220.165.5.7
```

Which is most assuredly not my safeip value.  Have I missed something obvious?  I'm also open to a different "template" new rule set if this sucks too much. :e


----------



## SirDice (May 29, 2012)

For safeip use an IP address and an optional netmask. Don't use a hostname plus netmask. 

You might also want to check out security/sshguard-pf, which can help you combat those brute-force attacks.


----------

