Re: pf add not working

[Zoran Kolic <zkolic%sbb.rs@localhost>]

> I have set up an intrusion detection system on my ISP.  In my pf.conf I
> have the following two lines.
> table <AUTOBLOCK> persist
> block in quick log on $ext_if from <AUTOBLOCK>

Openbsd and netbsd versions might differ a lot.
It should read a file from file system and act
accordingly. Good thinking and possible.

> I also open specific IP addresses
> I then run a script from cron that reads various logs and extracts IP
> addresses that indicate hack attempts.  For example:
> grep 'Failed password' $AUTHLOG |
>     sed 's/.* from //;s/ .*//;' >> $PFDIR/$$.USER.$HOSTNAME
> 
> PFDIR and HOSTNAME have previously been defined.  I then count the
> IPs in the output file and any that are higher than a set number (50 at
> the present time) get added to a temporary file.  I further gather IPs
> from all the other systems so that getting caught in one trap gets one
> locked out of all my machines.

So, it takes an input from another program and
adds it to the rule? So far, so good.

> I catch it after the first minute and add the IP to the
> AUTOBLOCK table defined above.  Everything looks good but the attack
> continues to the end.
> 
> I couldn't figure out why the IP wasn't being filtered.  At first I
> thought that it was because they were opening a connection and doing
> the attack through that single connection and pf was only blocking new
> connections.  Then I realized that Asterisk uses UDP, not TCP so that
> didn't make sense because there is no state in UDP.  Then I read that
> pf basically fakes state for UDP.  The reason for that is to allow
> things like DNS to work.  If you make a DNS request you want the answer
> to come back.

Here is how I set a rule to let in:
   pass in on usmsc0 proto tcp from any to any port ssh

Defaults to keep state. Your rule could be:
   pass in on $me proto udp from any to $node port $ast modulate state

To cite a manual:
"In the case of protocols without "start" and "end" packets, PF simply keeps
track of how long it has been since a matching packet has gone through.
If the timeout is reached, the state is cleared. The timeout values can be
set in the options section of the pf.conf file."

> TEMPLATE = """pass in log on $ext_if proto %s from any to any port %s\\
>   keep state (max 2000, source-track rule,\\
>   max-src-states 100, max-src-conn 40, max-src-conn-rate 100/10)\n\n"""
> 
> Where the "%s" variables were protocol (tcp or udp) and port to open.
> Now I have two templates:
> 
> tcp = """pass in log on $ext_if proto tcp from any to any port %s\\
>   keep state (max 2000, source-track rule,\\
>   max-src-states 100, max-src-conn 40, max-src-conn-rate 100/10)"""
> udp = "pass in log on $ext_if proto udp from any to any port %s no
> state" ### no line break in actual script

pass in log on $ext_if proto { tcp, udp, icmp } from any to any modulate state

I think you should have not "no state for udp". Try to remove it.

> Bottom line, I don't see any case where incoming UDP connections need
> to keep state.  I think that this is going to solve my problem.  The
> attacks happen every few days so I should know shortly if it works.

What if you remove "no state"?
I will have to reread a manual to see how pf takes an input
from the file. I'm pretty sure you have to add state to udp,
but I might be wrong.
Netbsd version of pf could work differently than in manual.

                                     Zoran