Jump to content

Probleme with packet filter


Recommended Posts

Hello everyone, for some time the rule of packet filter to filter on site ban asser quickly after 20/25 refresh on 20 minutes and especially the users of freebox.

Here are my rules :

 

 

 

 

#Macros
host_ip  = "{ xxx.xxx.xxx.xxx }"    # Ip public de votre serveur
ext_if = "ix0"                     # nom external interface obtenue grace à la commande ifconfig
rtm_ip       = "{ 91.121.77.251 }" # exemple d'ip pour ceux ayant un serveur OVH
udp_services = "{domain, 123, 53, 80, 222, 443, 25}"
db = "15005"
db1 = "15001"


set limit table-entries 500000
set limit states 20000
set block-policy drop                                #Bloque les packet TCPSYN
icmp_types = "echoreq"

#Tables
table <spamd-white> persist
table <abusive_ip> persist file "/etc/spammer.txt"                #Table des ip normal bannis
table <table_white> persist file "/etc/spammer_white.txt"            #Table des inbannissable
table <fail2ban> persist file "/etc/spammer_fail2ban.txt"            #Table des ip banni par fail2ban
table <trusted_hosts> const { 8.8.8.8, 8.8.8.4 }

#Options
set skip on lo

#Normalisation des paquets entrants
scrub in all fragment reassemble

#Antispoof
antispoof for $ext_if

#Filtrage
block in all                                    #Bloque tout en entrer de base
block in quick from <abusive_ip>
block in quick from <fail2ban>
block in quick from <abusive_site>
pass out all keep state
pass out on $ext_if all modulate state
pass in quick from <trusted_hosts>
pass out quick on $ext_if inet from ($ext_if) to any
pass in on $ext_if proto tcp to ($ext_if) port 22
pass in log on $ext_if proto tcp to ($ext_if) port 3306
pass out on $ext_if proto tcp from ($ext_if) port 22
pass out on $ext_if proto tcp from ($ext_if) port 3306
pass in quick from <table_white>
pass proto udp to any port $udp_services

#Acces serveur ssh
#Laisse tout passer en ipv4 10 connexion toute les 40seconde puis ban
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 keep state (max-src-conn-rate 10/40, overload <abusive_ip> flush global)

#Acces serveur Jeu
#avec un ratio normal
#300 connexion ou 45 connexion toute les 5secondes par ip puis ban
#Exeption pour le port 21002
#50 connexion ou 20 connexion toute les 5secondes par ip puis ban
block log quick from <abusive_ip> to any
block log quick from any to <abusive_ip>
pass in on $ext_if proto tcp to $host_ip port 10000 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13002 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13005 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13006 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13007 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13008 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13102 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13108 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13202 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13208 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13302 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13308 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13402 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13408 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13502 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 13508 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 23099 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 24099 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 9999 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 50000 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 999 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 16002 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 16008 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
pass in on $ext_if proto tcp to $host_ip port 33099 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_ip> flush)
block out log quick on ix0 inet proto tcp from any port $db

#Acces serveur web
#avec un ratio normal
#Les packet sont drop par le pare feu puis renvoyer sur le serveur web
#A raison de 100 connexion ou 45 toute les 5seconde par ip puis ban
pass in on $ext_if proto tcp to $host_ip port 80 flags S/SA synproxy state (max-src-conn 300, max-src-conn-rate 55/5, overload <abusive_site> flush)

#Acces serveur mysql
#avec un acces reduit
#50 connexion ou 20 connexion toute les 5secondes par ip puis ban
pass in on $ext_if proto tcp to $host_ip port 3306 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 50/5, overload <abusive_ip> flush)

#Port DNS
pass in on $ext_if proto tcp to $host_ip port 53 flags S/SA keep state (max-src-conn 300, max-src-conn-rate 50/5, overload <abusive_ip> flush)

# Permettre tout ICMP : j'ai envie de pinguer mon serveur, et de toute
# façon c'est nécessaire pour ip6.
pass proto { icmp icmp6 }

# Logiciel RTM d'OVH
pass out proto udp         from $host_ip  to $rtm_ip     port 6100:6200

 

Link to comment
Share on other sites

  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.