[asterisk-users] Can't block intrusion

[D'Arcy Cain]

On 2020-04-02 08:01, Larry Moore wrote:
> I suspect you have a good understanding of pf.

Pretty good I think.  As with everything I am always willing to learn more.

> Have you included in your script running 'pfctl -k <ip_address>' to kill
> any states that may exists after you update your <AUTOBLOCK> table?

I haven't yet because I want to watch the effect of doing it.  When I
see the problem happening I run that manually and watch to see if it
stops the attack in its tracks or if I still have to null-route it.
Once I know that it is working I will add it to the script.

> In pf, like IP Filter, the last matching rule wins.

Subject to the "quick" keyword of course.

> What can't be determined from the information provided is whether any
> connections that have been established from networks you have listed in
> the table <FRIENDS>, also appear in the <AUTOBLOCK> table.

Absolutely positive.  FRIENDS is a static table with exactly eight
entries.  It is mainly for protection against our office and a few
special hosts such as our VoIP provider being locked out.  I can
guarantee that the IP that I showed in the OP was not a friend.

> Removing the 'quick' parameter from the rule for <FRIENDS> will allow
> packets to fall through to the next rules. Alternatively, moving the
> 'pass' rule to below your 'block' rules will allow any connections
> originating from networks listed in your <FRIENDS> table and also exists
> in the <AUTOBLOCK> table, will be blocked.

It's a safety thing.  Even if someone in the office makes a mistake I
don't want them blocked.  Same for other friends.

I haven't seen the issue today.  One thing that I did was to move the
anti spoof line further up.  I thought that anti-spoof would block
wherever it was.  Could the location be important?

-- 
D'Arcy J.M. Cain
Vybe Networks Inc.
A unit of Excelsior Solutions Corporation - Propelling Business Forward
http://www.VybeNetworks.com/
IM:darcy at VybeNetworks.com VoIP: sip:darcy at VybeNetworks.com