Hello all,
I have an anchor for tagging packets based on their source IP origin country. For this I create a bunch of files inside /etc/firewall/tables/dynamic/ which contain the network prefixes for a certain country. For example, here is the output of
Then in my main pf.conf file I have the following:
Here is a sample of /etc/firewall/anchors/geo2ip.rules.pf.conf:
Although everything seems fine at the configuration level, I cannot get it to work.
Any suggestions?
I have an anchor for tagging packets based on their source IP origin country. For this I create a bunch of files inside /etc/firewall/tables/dynamic/ which contain the network prefixes for a certain country. For example, here is the output of
head /etc/firewall/tables/dynamic/geo2ip_country_CN.tb
:
Code:
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
1.0.32.0/19
1.1.0.0/24
1.1.2.0/23
1.1.4.0/22
1.1.8.0/21
1.1.16.0/20
1.1.32.0/19
Then in my main pf.conf file I have the following:
Code:
#>FILTERING:
#>>General policies:
#>>>CARP & PFSYNC
pass quick proto carp all keep state (no-sync) label "Allow CARP"
#>>>Antispoof
antispoof for $if_internet
antispoof for $if_dmz
antispoof for $if_accessNetwork
#>>>Early block invalid packets
block in log quick on $if_internet from <tbl_ipv4ReservedAddresses> to any label "Block incoming outside packets with invalid addresses"
block out log quick on $if_internet from any to <tbl_ipv4ReservedAddresses> label "Block outgoing packets with invalid addresses"
#block in log quick from {no-route urpf-failed} to any label "Early drop non-routable sources"
#>>>Early block the bad guys =)
block in log quick from <tbl_infectedHosts> to any label "Early drop the sick"
block in log quick from <tbl_scannerHosts> to any label "Early drop the smart ones"
block in log quick from <tbl_bruteForceHosts> to any label "Early drop the brutals"
block in log quick from <fail2ban> to any label "fail2ban table"
#>>>Geo2IP
anchor geo2ip
load anchor geo2ip from "/etc/firewall/anchors/geo2ip.rules.pf.conf"
block log quick all tagged TO_CN
#>>>FTP_PROXY
...
Here is a sample of /etc/firewall/anchors/geo2ip.rules.pf.conf:
Code:
table <tbl_Geo2ipCountry_RW> persist file "/etc/firewall/tables/dynamic/geo2ip_country_RW.tb" # Rwanda
table <tbl_Geo2ipCountry_SO> persist file "/etc/firewall/tables/dynamic/geo2ip_country_SO.tb" # Somalia
table <tbl_Geo2ipCountry_YE> persist file "/etc/firewall/tables/dynamic/geo2ip_country_YE.tb" # Yemen
table <tbl_Geo2ipCountry_IQ> persist file "/etc/firewall/tables/dynamic/geo2ip_country_IQ.tb" # Iraq
...
pass from <tbl_Geo2ipCountry_RW> to any tag FROM_RW label "tag packets from Rwanda"
pass from <tbl_Geo2ipCountry_SO> to any tag FROM_SO label "tag packets from Somalia"
pass from <tbl_Geo2ipCountry_YE> to any tag FROM_YE label "tag packets from Yemen"
pass from <tbl_Geo2ipCountry_IQ> to any tag FROM_IQ label "tag packets from Iraq"
...
pass from any to <tbl_Geo2ipCountry_RW> tag TO_RW label "tag packets from Rwanda"
pass from any to <tbl_Geo2ipCountry_SO> tag TO_SO label "tag packets from Somalia"
pass from any to <tbl_Geo2ipCountry_YE> tag TO_YE label "tag packets from Yemen"
pass from any to <tbl_Geo2ipCountry_IQ> tag TO_IQ label "tag packets from Iraq"
...
Although everything seems fine at the configuration level, I cannot get it to work.
Any suggestions?