EPuters_Mirrors
/
almanack_mirror


			
				
					
						
						
							1234567891011121314151617181920212223
							version=pmwiki-2.2.130 ordered=1 urlencoded=1
agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0
author=jrmu
charset=UTF-8
csum=
ctime=1597225169
host=198.251.81.119
name=Openbsd.Pf
rev=3
targets=
text=On a workstation where you are the only user, you can use a very simple /etc/pf.conf:%0a%0a[@%0aset skip on lo0 # don't filter localhost packets%0aext_if = "em0" # replace em0 with your external interface%0a%0aset block-policy drop # by default, drop packets. You can also set block-policy reject%0aset loginterface $ext_if # log that interface%0a%0ablock all  # block all traffic by default%0apass in inet proto icmp icmp-type 8 code 0 # icmp packets%0apass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0apass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0apass out all # pass all outgoing traffic%0a@]%0a%0aThis will allow the necessary ICMP traffic (useful for network diagnosis) while blocking all other incoming connections.%0a%0a(As a general rule, the last matching rule determines the action.)%0a%0aI generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100%25 accurate.%0a%0aTo load the ruleset once you've edited it, run:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0aTo disable the firewall (useful for diagnosing the network), run:%0a%0a[@%0a$ doas pfctl -d%0a@]%0a%0aTo enable it again:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aFor a server, you will want to, at a minimum, allow incoming ssh packets:%0a%0a[@%0aset skip on lo0 # don't filter localhost packets%0aext_if = "em0" # my external interface is em0%0a%0aset block-policy drop # by default, drop packets. You can also set block-policy reject%0aset loginterface $ext_if # log that interface%0a%0apass in proto tcp from 192.168.1.1 to port ssh%0apass in inet proto icmp icmp-type 8 code 0 # icmp packets%0apass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0apass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0apass out all # pass all outgoing traffic%0a@]%0a%0aReplace 192.168.1.1 with your IP.%0a%0aAs a general rule, your servers should also accept incoming http and https connections. This is necessary for running a web server and also for acquiring a properly signed SSL certificate. Here is the /etc/pf.conf:%0a%0a[@%0aset skip on lo0 # don't filter localhost packets%0aext_if = "em0" # my external interface is em0%0a%0aset block-policy drop # by default, drop packets. You can also set block-policy reject%0aset loginterface $ext_if # log that interface%0a%0apass in proto tcp from 192.168.1.1 to port ssh%0apass in inet proto icmp icmp-type 8 code 0 # icmp packets%0apass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0apass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0apass in proto tcp to port {http https}%0apass out all # pass all outgoing traffic%0a@]%0a%0aTo see how many packets are arriving:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf%0a@]%0a%0aThis will empty the existing state tables for pf. Then, run%0a%0a[@%0a$ doas pfctl -sr -v%0a@]%0a%0aThis will show you how many packets are arriving. Since you emptied the state tables, if you now see 1000s of packets coming in, those packets came in the last few seconds, indicating that you are certainly under attack.
time=1607860999
author:1607860999=jrmu
diff:1607860999:1599996783:=74,88c74%0a%3c @]%0a%3c %0a%3c To see how many packets are arriving:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c This will empty the existing state tables for pf. Then, run%0a%3c %0a%3c [@%0a%3c $ doas pfctl -sr -v%0a%3c @]%0a%3c %0a%3c This will show you how many packets are arriving. Since you emptied the state tables, if you now see 1000s of packets coming in, those packets came in the last few seconds, indicating that you are certainly under attack.%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a
host:1607860999=198.251.81.119
author:1599996783=gry
csum:1599996783=-
diff:1599996783:1597225169:=3c3%0a%3c [@%0a---%0a> %3ccode>%0a15,16c15,16%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a25c25%0a%3c [@%0a---%0a> %3ccode>%0a27,28c27,28%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a31c31%0a%3c [@%0a---%0a> %3ccode>%0a33,34c33,34%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a37c37%0a%3c [@%0a---%0a> %3ccode>%0a39,40c39,40%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a43c43%0a%3c [@%0a---%0a> %3ccode>%0a55,56c55,56%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c61%0a%3c [@%0a---%0a> %3ccode>%0a74c74%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a
host:1599996783=203.129.25.247
author:1597225169=jrmu
diff:1597225169:1597225169:=1,74d0%0a%3c On a workstation where you are the only user, you can use a very simple /etc/pf.conf:%0a%3c %0a%3c %3ccode>%0a%3c set skip on lo0 # don't filter localhost packets%0a%3c ext_if = "em0" # replace em0 with your external interface%0a%3c %0a%3c set block-policy drop # by default, drop packets. You can also set block-policy reject%0a%3c set loginterface $ext_if # log that interface%0a%3c %0a%3c block all  # block all traffic by default%0a%3c pass in inet proto icmp icmp-type 8 code 0 # icmp packets%0a%3c pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0a%3c pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0a%3c pass out all # pass all outgoing traffic%0a%3c %3c/code>%0a%3c %0a%3c This will allow the necessary ICMP traffic (useful for network diagnosis) while blocking all other incoming connections.%0a%3c %0a%3c (As a general rule, the last matching rule determines the action.)%0a%3c %0a%3c I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100%25 accurate.%0a%3c %0a%3c To load the ruleset once you've edited it, run:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pfctl -f /etc/pf.conf%0a%3c %3c/code>%0a%3c %0a%3c To disable the firewall (useful for diagnosing the network), run:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pfctl -d%0a%3c %3c/code>%0a%3c %0a%3c To enable it again:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pfctl -e%0a%3c %3c/code>%0a%3c %0a%3c For a server, you will want to, at a minimum, allow incoming ssh packets:%0a%3c %0a%3c %3ccode>%0a%3c set skip on lo0 # don't filter localhost packets%0a%3c ext_if = "em0" # my external interface is em0%0a%3c %0a%3c set block-policy drop # by default, drop packets. You can also set block-policy reject%0a%3c set loginterface $ext_if # log that interface%0a%3c %0a%3c pass in proto tcp from 192.168.1.1 to port ssh%0a%3c pass in inet proto icmp icmp-type 8 code 0 # icmp packets%0a%3c pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0a%3c pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0a%3c pass out all # pass all outgoing traffic%0a%3c %3c/code>%0a%3c %0a%3c Replace 192.168.1.1 with your IP.%0a%3c %0a%3c As a general rule, your servers should also accept incoming http and https connections. This is necessary for running a web server and also for acquiring a properly signed SSL certificate. Here is the /etc/pf.conf:%0a%3c %0a%3c %3ccode>%0a%3c set skip on lo0 # don't filter localhost packets%0a%3c ext_if = "em0" # my external interface is em0%0a%3c %0a%3c set block-policy drop # by default, drop packets. You can also set block-policy reject%0a%3c set loginterface $ext_if # log that interface%0a%3c %0a%3c pass in proto tcp from 192.168.1.1 to port ssh%0a%3c pass in inet proto icmp icmp-type 8 code 0 # icmp packets%0a%3c pass in inet proto icmp icmp-type 3 code 4 # icmp needfrag (MTU)%0a%3c pass in inet6 proto ipv6-icmp icmp6-type {2 128} keep state%0a%3c pass in proto tcp to port {http https}%0a%3c pass out all # pass all outgoing traffic%0a%3c %3c/code>%0a\ No newline at end of file%0a
host:1597225169=38.81.163.143