Re: pf add not working

["D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>]

On Sun, 23 Nov 2014 05:53:00 +0100
Zoran Kolic <zkolic%sbb.rs@localhost> wrote:
> I might miss something from this thread.
> Would you, please, repeat what you did and
> what was the intent?

With the benefit of hindsight and to help future searches, here is a
clearer explanation of the problem and, I believe, the solution.

I have set up an intrusion detection system on my ISP.  In my pf.conf I
have the following two lines.

table <AUTOBLOCK> persist
block in quick log on $ext_if from <AUTOBLOCK>

I also open specific IP addresses

I then run a script from cron that reads various logs and extracts IP
addresses that indicate hack attempts.  For example:

grep 'Failed password' $AUTHLOG |
    sed 's/.* from //;s/ .*//;' >> $PFDIR/$$.USER.$HOSTNAME

PFDIR and HOSTNAME have previously been defined.  I then count the
IPs in the output file and any that are higher than a set number (50 at
the present time) get added to a temporary file.  I further gather IPs
from all the other systems so that getting caught in one trap gets one
locked out of all my machines.

One of the checks I do is on my Asterisk phone switch.  Among other
things I look for attempts to call non-local extensions without
registering first.  One attack makes 100,000 attempts and takes 2.5
hours.  I catch it after the first minute and add the IP to the
AUTOBLOCK table defined above.  Everything looks good but the attack
continues to the end.

I couldn't figure out why the IP wasn't being filtered.  At first I
thought that it was because they were opening a connection and doing
the attack through that single connection and pf was only blocking new
connections.  Then I realized that Asterisk uses UDP, not TCP so that
didn't make sense because there is no state in UDP.  Then I read that
pf basically fakes state for UDP.  The reason for that is to allow
things like DNS to work.  If you make a DNS request you want the answer
to come back.

Up to now I was building my pf.conf from a script that opened up only
the ports needed on that server.  I used a common rule template:

TEMPLATE = """pass in log on $ext_if proto %s from any to any port %s\\
  keep state (max 2000, source-track rule,\\
  max-src-states 100, max-src-conn 40, max-src-conn-rate 100/10)\n\n"""

Where the "%s" variables were protocol (tcp or udp) and port to open.
Now I have two templates:

tcp = """pass in log on $ext_if proto tcp from any to any port %s\\
  keep state (max 2000, source-track rule,\\
  max-src-states 100, max-src-conn 40, max-src-conn-rate 100/10)"""
udp = "pass in log on $ext_if proto udp from any to any port %s no
state" ### no line break in actual script

so, for example, here are a couple of lines from my pf.conf on the
phone switch:

pass in log on $ext_if proto tcp from any to any port 22\
  keep state (max 2000, source-track rule,\
  max-src-states 100, max-src-conn 40, max-src-conn-rate 100/10)

pass in log on $ext_if proto udp from any to any port 5060 no state

Bottom line, I don't see any case where incoming UDP connections need
to keep state.  I think that this is going to solve my problem.  The
attacks happen every few days so I should know shortly if it works.

> I use pf on openbsd node and on rpi. As far
> as I know, you have to reload configuration

I don't think that reload is a problem.  A restart would be.

> file to have it on. Dynamically loaded rules
> could be a problem, due to disconnection of
> the session. I recall other firewalls doing

Not sure what problem you refer to.  If you mean that it doesn't block
existing connections you are probably correct.  That's kind of what
happened to me except that the "connection" was implied and so seemed
like a permanent connection even though there was no actual connection.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost