PF Setting up pf.conf for use with sshguard

B

billddev

Hello,

I'm new to FreeBSD and trying to set up some sort of blocking for brute-force ssh attempts. Looking around it seemed like sshguard was a good solution. I tried to follow along with sshguard-setup(7) for the pf backend:

Code: 
       SSHGuard adds attackers to table <sshguard>. Create the table and block
       attackers by adding the following lines to the end of pf.conf:

          table <sshguard> persist
          block in proto tcp from <sshguard>

But when I try to do that and reload the pf.conf I get:

Code: 
/etc/pf.conf:7: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

I'm sorry, I'm having trouble understanding two things.

1. How should I order the rules in my pf.conf file? (I've tried looking in the pf.conf(5) man page and reordering things but can't get it working)
2. Is my pf.conf file even good/correct? (I feel like I'm guessing and would just like to have a decent security setup)

Here's my current attempt at the pf.conf:

Code: 
block in all

pass quick on { lo0 lo1 }
scrub in all fragment reassemble max-mss 1440

pass in proto { tcp udp } to port ssh
pass in proto tcp to port { https }

pass out proto { tcp udp }

block in proto tcp from <sshguard>
table <sshguard> persist

Thanks so much for any help!
 
Move the scrub and table lines before your rules.

Code: 
STATEMENT ORDER
     There are seven types of statements in pf.conf:

     Macros
           User-defined variables may be defined and used later, simplifying
           the configuration file.  Macros must be defined before they are
           referenced in pf.conf.

     Tables
           Tables provide a mechanism for increasing the performance and
           flexibility of rules with large numbers of source or destination
           addresses.

     Options
           Options tune the behaviour of the packet filtering engine.

     Traffic Normalization (e.g. scrub)
           Traffic normalization protects internal machines against
           inconsistencies in Internet protocols and implementations.

     Queueing
           Queueing provides rule-based bandwidth control.

     Translation (Various forms of NAT)
           Translation rules specify how addresses are to be mapped or
           redirected to other addresses.

     Packet Filtering
           Packet filtering provides rule-based blocking or passing of
           packets.

     With the exception of macros and tables, the types of statements should
     be grouped and appear in pf.conf in the order shown above, as this
     matches the operation of the underlying packet filtering engine.  By
     default pfctl(8) enforces this order (see set require-order below).
 
You must log in or register to reply here.
Back
Top