pf conf

I'm working on setting up my first wireguard server on FreeBSD 13.3. The issue: once I start the wireguard service I can't reach the server anymore, the server still can access the internet but nothing can connect to it. The server is in the cloud. On the same server I'm running an openvpn...

Hello, I'm new to FreeBSD and trying to set up some sort of blocking for brute-force ssh attempts. Looking around it seemed like sshguard was a good solution. I tried to follow along with sshguard-setup(7) for the pf backend: SSHGuard adds attackers to table <sshguard>. Create the...

Hello. I need to open a port on my Freebsd desktop. there is a VPN server on Linux, everything is configured there. when I connect to a VPN with the firewall turned off on the local host, the port is open when I comment on the line block all in the enabled PF. The port is also opening. But what...

Hi, I couldn't seem to find an answer with several searches so here goes... I am running FreeBSD 12.3-RELEASE-p5 GENERIC. I have PF configured and working well for my needs. It blocks all SSH logins except for specific IP addresses. So, I can only log in to my server from 2 offices, my home, and...

I have a simple /etc/pf.conf: . . . ### Options ### by default drop blocked packets and do not return a return packet set block-policy drop ### Set none for no debug messages. alternatively set to urgent set debug urgent ### reorder and combine rules as logic permits (none - basic - profile)...

Hi all, does anyone know if it is possible to change the destination address for local generated outgoing traffic? I try to achieve that traffic with a destination address to 1.2.3.4 gets rewritten to 10.10.10.10. I tried to implement that rules in pf and ipfw without success. In general I...

Hi everyone, I try to configure a pf nat rule which is only applied on a specific user. Is that possible? Because I always get a syntax error with the following rule: nat log on if1 from self to 1.2.3.4/32 user myuser -> 2.3.4.5 In the log message I can see that the uid is logged correctly...

Hi there all, first post here so just say if I've a mistake, besides, well... my pf rules. ? I've created this rule configuration while I was experimenting with OpenBSD. I'm not a programmer, just a consumer so I don't even know what these are meant for other than from what I read for about...

Hello, I am new to PF and completely overwhelmed with it. I'm setting it up on a productive workstation/server and want that I only SSH and HTTP are available from the outside. However I want that this machine can access everything. Also I want that X.org will run I heard that I need some...

Hello, I am using a virtual machine which use NAT network of vmware. I set the simpliest rule to block all inbound request with : block in all but it has no effect... I cannot ping google from VM but i can from a terminal in my host machine. how is it possible ? for more information this is...

I am considering a pf rule like this: pass in on $ext_if inet proto tcp from <ssh_clients> to ($ext_if) port $myssh keep state (max-src-conn 9, max-src-conn-rate 2/5, overload <blocked_guests> flush global) But I am not sure if allowing ssh connections only from a whitelist (ssh_clients) will...

Hello Everyone! I am a regular linux user of about 10 years. I am now looking to learn freeBSD. icsdhcp,gateways,ipsec and pf, ect. I am using vmware to create my network and finding that i read a doc on dhcp.conf and realize 1h later its for a version 2 years old and openBSD. I would like...

I'm trying to understand how to read the logs properly. 00:00:00.019892 rule 0..16777216/0(match): block in on em0: 180.188.246.156.29044 > 11.22.33.44.23: Flags S, seq 1208588937, win 23644, length 0 00:00:01.172317 rule 0..16777216/0(match): block in on em0: 151.226.32.226.24131 >...

Hello there, I have a jail inside a VM. I installed Gitea inside the Jail and configured PF (nat) to forward traffic coming on port 2000 to the jail port 3000 (The gitea web application) and left port 10000 for the ssh (for git) inside the jail. All is okay so far till recently I checked my...

Outgoing traffic from a jail via PF NAT over a LAGG/LACP sometimes has the backup CARP IP address assigned to it. As this IP is only active on the "other" server, the return TCP connection traffic never actually gets back to our CARP master, and the other server sees spurious TCP...

Hi, i need to redirect all traffic from a private ip address attested on a local interface, to a public ip address. The old configuration with iptables it's something like this iptables:-A PREROUTING -d $private_ip/32 -i $int_if -j DNAT --to-destination $public_ip iptables:-A PREROUTING ! -d...

Hello, I cannot seem to find information on how to perform NAT for multiple internal (LAN) interfaces with pf. I have a very simple set of rules for performing basic NAT: # Definitions ext_if = "wlan0" # macro for external interface - use tun0 for PPPoE int_if = "ue0" #...

Hello, I did an upgrade on my pf.conf and would like if you could take a look on it, and point out weak points, please. ### Interfaces ### Ext_If = "em0" Int_If = "em1" ### Hosts ### HOST = "192.168.0.200" AFP_Jail = "192.168.0.210" WEB_Jail = "192.168.0.254" DNS1_Jail =...

Hi, I have a problem with my PF it seems after all verification made with pfctl -vnf /etc/pf.conf NOT with the rulesets but number of tables and the size of it. Can be adjusted this situation? I can't control the size of tables for zones because are country based IP net blocks. So first I...

I can't seem to connect to the OpenVPN server I'm running on 10.2 though PF, I keep getting a tls-auth timeout. Here's my pf.config: tcp_services = "{ssh, http, https}" # vpn address block vpnclients = "10.8.0.0/24" # wan interface wanint = "vtnet0" #tunnel interface vpnint = "tun0" # openvpn...