BSD Packet filtering Basics

From RSWiki
Jump to: navigation, search

BSD Packet Filter Basics

Enabling PF

Edit /etc/rc.local and search for the pf entries. Change so that that look like this:

pf=YES                  # Packet filter / NAT

You need to reboot for the changes to take effect.

Creating a new table for banned hosts

Edit /etc/pf.conf and add a new table at the bottom of the file with the following:

table <spammers> persist file "/etc/spammers"
block in log (all) quick on vic0 from <spammers> to any

Save the file and in the /etc directory create your spammers file as mentioned above:

touch /etc/spammers

Permanently Blocking a host

To permanently block a host or network, add their IP address of the CIDR of the networks into the /etc/spammers file.

Blocking a host or network on the fly

To block a host or network on the fly, add their IP address or CIDR using the pfctl command as follows:

pfctl -t spammers -T add 192.168.1.0/24

Unblocking a host or network on the fly

To unblock a host or network on the fly, again use the pfctl command as follows:

pfctl -t spammers -T delete 192.168.1.0/24

Viewing a list of blocked hosts

You can view a list of banned IP addresses and networks with the following command:

pfctl -t spammers -T show

Logging of blocked hosts and networks

When creating the table in /etc/pf.conf we enabled logging to /var/log/pflog. However this file is in binary format but can be read using tcpdump. To view the entire contents of the file, run the following command:

tcpdump -n -e -ttt -r /var/log/pflog

To view the log in realtime you would use the following command:

tcpdump -n -e -ttt -i pflog0


References

  • [1] pf tables FAQ on OpenBSD.org
  • [2] pf logging FAQ on OpenBSD.org
  • [3] FreeBSD / OpenBSD: PF Firewall Filter Large Number Of Subnets and IP Address.