[asterisk-users] Can't block intrusion
Larry Moore
lmoore at starwon.com.au
Thu Apr 2 08:01:21 CDT 2020
On 2/04/2020 6:35 AM, D'Arcy Cain wrote:
> On 2020-04-01 16:28, Mark Boyce wrote:
>> On 1 Apr 2020, at 22:14, Greg Troxel <gdt at lexort.com
>> <mailto:gdt at lexort.com>> wrote:
>>> I think you need to use tcpdump and turn up firewall debugging.
>> sngrep is your friend …My bet is UDP vs TCP on firewall rules :-)
> block drop in log quick on bge0 from <AUTOBLOCK> to any
> block drop out log quick on bge0 from any to <AUTOBLOCK>
>
> Am I misunderstanding pf? I thought that that would block TCP, UDP,
> ICMP and anything else trying to get through.
>
> Since I started looking at this closer I did find that only some
> connections have this problem. Most get blocked as soon as the IP is
> passed to the AUTOBLOCK table.
I suspect you have a good understanding of pf.
Have you included in your script running 'pfctl -k <ip_address>' to kill
any states that may exists after you update your <AUTOBLOCK> table?
In pf, like IP Filter, the last matching rule wins.
What can't be determined from the information provided is whether any
connections that have been established from networks you have listed in
the table <FRIENDS>, also appear in the <AUTOBLOCK> table.
Removing the 'quick' parameter from the rule for <FRIENDS> will allow
packets to fall through to the next rules. Alternatively, moving the
'pass' rule to below your 'block' rules will allow any connections
originating from networks listed in your <FRIENDS> table and also exists
in the <AUTOBLOCK> table, will be blocked.
Larry.
More information about the asterisk-users
mailing list