[asterisk-users] Can't block intrusion
darcy at VybeNetworks.com
Thu Apr 2 09:17:01 CDT 2020
On 2020-04-02 08:01, Larry Moore wrote:
> I suspect you have a good understanding of pf.
Pretty good I think. As with everything I am always willing to learn more.
> Have you included in your script running 'pfctl -k <ip_address>' to kill
> any states that may exists after you update your <AUTOBLOCK> table?
I haven't yet because I want to watch the effect of doing it. When I
see the problem happening I run that manually and watch to see if it
stops the attack in its tracks or if I still have to null-route it.
Once I know that it is working I will add it to the script.
> In pf, like IP Filter, the last matching rule wins.
Subject to the "quick" keyword of course.
> What can't be determined from the information provided is whether any
> connections that have been established from networks you have listed in
> the table <FRIENDS>, also appear in the <AUTOBLOCK> table.
Absolutely positive. FRIENDS is a static table with exactly eight
entries. It is mainly for protection against our office and a few
special hosts such as our VoIP provider being locked out. I can
guarantee that the IP that I showed in the OP was not a friend.
> Removing the 'quick' parameter from the rule for <FRIENDS> will allow
> packets to fall through to the next rules. Alternatively, moving the
> 'pass' rule to below your 'block' rules will allow any connections
> originating from networks listed in your <FRIENDS> table and also exists
> in the <AUTOBLOCK> table, will be blocked.
It's a safety thing. Even if someone in the office makes a mistake I
don't want them blocked. Same for other friends.
I haven't seen the issue today. One thing that I did was to move the
anti spoof line further up. I thought that anti-spoof would block
wherever it was. Could the location be important?
D'Arcy J.M. Cain
Vybe Networks Inc.
A unit of Excelsior Solutions Corporation - Propelling Business Forward
IM:darcy at VybeNetworks.com VoIP: sip:darcy at VybeNetworks.com
More information about the asterisk-users