BSD Packet filtering Basics

From RSWiki
Revision as of 14:08, 8 December 2009 by Robert (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Template:AdWords2 Please considering making a donation to keep this site running In the three years that I have been running this site costs have increased significantly. Unfortunately advertising does not come anywhere near covering the costs to keep this site running. Any donations, however small will help enormously in keeping this site running. If you found the information on this page helpful in any way why not make a donation now? <donationform></donationform>

BSD Packet Filter Basics

Enabling PF

Edit /etc/rc.local and search for the pf entries. Change so that that look like this:

pf=YES                  # Packet filter / NAT

You need to reboot for the changes to take effect.

Creating a new table for banned hosts

Edit /etc/pf.conf and add a new table at the bottom of the file with the following:

table <spammers> persist file "/etc/spammers"
block in log (all) quick on vic0 from <spammers> to any

Save the file and in the /etc directory create your spammers file as mentioned above:

touch /etc/spammers

Permanently Blocking a host

To permanently block a host or network, add their IP address of the CIDR of the networks into the /etc/spammers file.

Blocking a host or network on the fly

To block a host or network on the fly, add their IP address or CIDR using the pfctl command as follows:

pfctl -t spammers -T add 192.168.1.0/24

Unblocking a host or network on the fly

To unblock a host or network on the fly, again use the pfctl command as follows:

pfctl -t spammers -T delete 192.168.1.0/24

Viewing a list of blocked hosts

You can view a list of banned IP addresses and networks with the following command:

pfctl -t spammers -T show

Logging of blocked hosts and networks

When creating the table in /etc/pf.conf we enabled logging to /var/log/pflog. However this file is in binary format but can be read using tcpdump. To view the entire contents of the file, run the following command:

tcpdump -n -e -ttt -r /var/log/pflog

To view the log in realtime you would use the following command:

tcpdump -n -e -ttt -i pflog0


References

  • [1] pf tables FAQ on OpenBSD.org
  • [2] pf logging FAQ on OpenBSD.org
  • [3] FreeBSD / OpenBSD: PF Firewall Filter Large Number Of Subnets and IP Address.

Template:AdWords