[asterisk-users] Can't block intrusion

Larry Moore lmoore at starwon.com.au
Thu Apr 2 08:01:21 CDT 2020


On 2/04/2020 6:35 AM, D'Arcy Cain wrote:
> On 2020-04-01 16:28, Mark Boyce wrote:
>> On 1 Apr 2020, at 22:14, Greg Troxel <gdt at lexort.com
>> <mailto:gdt at lexort.com>> wrote:
>>> I think you need to use tcpdump and turn up firewall debugging.
>> sngrep is your friend …My bet is UDP vs TCP on firewall rules :-)
> block drop in log quick on bge0 from <AUTOBLOCK> to any
> block drop out log quick on bge0 from any to <AUTOBLOCK>
>
> Am I misunderstanding pf?  I thought that that would block TCP, UDP,
> ICMP and anything else trying to get through.
>
> Since I started looking at this closer I did find that only some
> connections have this problem.  Most get blocked as soon as the IP is
> passed to the AUTOBLOCK table.

I suspect you have a good understanding of pf.

Have you included in your script running 'pfctl -k <ip_address>' to kill 
any states that may exists after you update your <AUTOBLOCK> table?

In pf, like IP Filter, the last matching rule wins.

What can't be determined from the information provided is whether any 
connections that have been established from networks you have listed in 
the table <FRIENDS>, also appear in the <AUTOBLOCK> table.

Removing the 'quick' parameter from the rule for <FRIENDS> will allow 
packets to fall through to the next rules. Alternatively, moving the 
'pass' rule to below your 'block' rules will allow any connections 
originating from networks listed in your <FRIENDS> table and also exists 
in the <AUTOBLOCK> table, will be blocked.

Larry.



More information about the asterisk-users mailing list