Obmedzenie portu 3306 cez firewall PF

Jan Jurák yan.jurak at gmail.com
Fri Jul 2 19:32:20 CEST 2021


Ahoj,

Hezky mate ten pf, hned to jdu zkusim pro SSH. Jeste jsem asi dvakrat
vyuzil resolving. kdyz se hosti bid meni anebo jse jinde jini, takle
je pf + jak to dopadne s pfctl:

root at sol06fm1d01(pts/14) /root # grep -Evx '[[:blank:]]*([#;].*)?'
/etc/firewall/pf-test.conf
ext_if = "pub0"
nfs_ports = "{ 111 2049 }"
table <dns:nfs_hosts> { km03v16pl01.zit.commerzbank.com }
no_state = "flags any no state"
block drop in log on $ext_if proto { tcp udp } from <dns:nfs_hosts>
port $nfs_ports to ($ext_if) $no_state
block drop out log on $ext_if proto { tcp udp } from ($ext_if) to
<dns:nfs_hosts> port $nfs_ports $no_state
root at sol06fm1d01(pts/14) /root # pfctl -vvvnf /root/pf.conf
Loaded 710 passive OS fingerprints
set reassemble yes no-df
set skip on { lo0 }
ext_if = "pub0"
nfs_ports = "{ 111 2049 }"
table <dns:nfs_hosts> { 140.27.24.92 }
no_state = "flags any no state"
@0 block drop in proto tcp from any to any port = 12302
@1 pass in inet proto tcp from 140.39.9.71 to any port = 12302 flags S/SA
@2 pass in inet proto tcp from 140.39.9.72 to any port = 12302 flags S/SA
@3 block drop in log (to pflog0) on pub0 proto tcp from
<dns:nfs_hosts:0> port = 111 to (pub0:*)
@4 block drop in log (to pflog0) on pub0 proto tcp from
<dns:nfs_hosts:0> port = 2049 to (pub0:*)
@5 block drop in log (to pflog0) on pub0 proto udp from
<dns:nfs_hosts:0> port = 111 to (pub0:*)
@6 block drop in log (to pflog0) on pub0 proto udp from
<dns:nfs_hosts:0> port = 2049 to (pub0:*)
@7 block drop out log (to pflog0) on pub0 proto tcp from (pub0:*) to
<dns:nfs_hosts:0> port = 111
@8 block drop out log (to pflog0) on pub0 proto tcp from (pub0:*) to
<dns:nfs_hosts:0> port = 2049
@9 block drop out log (to pflog0) on pub0 proto udp from (pub0:*) to
<dns:nfs_hosts:0> port = 111
@10 block drop out log (to pflog0) on pub0 proto udp from (pub0:*) to
<dns:nfs_hosts:0> port = 2049


kdyz tak me preskocte, pokud je to obecne znamo.

pekny vikend
Many Regards
Jan Jurák

Many Regards
Jan Jurák


On Sun, Jun 6, 2021 at 1:31 PM Frantisek Hennel
<frantisek.hennel at gmail.com> wrote:
>
> Velka vdaka, moc ste mi pomohli. PF sice pouzivam na taketo jednoduche
> blokovanie niekolko rokov, ale syntax zial nepoznam. Zial v manuali som
> naozaj taketo zakladne priklady nenasiel. A pritom, toto sa da pouzivat
> elegantne aj na SSH, takze cakal by som, ze takychto prikladov najdem na
> internete vela.
>
> Frantisek
>
> ne 6. 6. 2021 o 12:18 Marián Černý <majo-users-l at cerny.sk> napísal(a):
>
> > Frantisek Hennel wrote:
> > >
> > > Dakujem za pomoc, ale nefunguje mi to.
> > >
> > > pass in quick on $ext_if from 10.1.1.0/24 to ($ext_if) port 3306
> > > /etc/pf.conf:4: port only applies to tcp/udp
> >
> > Sorry, chýba tam "proto tcp”.
> >
> > pass in quick on $ext_if proto tcp from 10.1.1.0/24 to ($ext_if) port 3306
> > block drop in log (all) quick on $ext_if proto tcp from any to ($ext_if)
> > port 3306
> >
> > Alebo v jednom pravidle, ako to písal schrodinger:
> >
> > block drop in log (all) quick on $ext_if proto tcp from ! 10.1.1.0/24 to
> > ($ext_if) port 3306
> >
> > (alebo zjednodušene:)
> >
> > block in log quick on $ext_if proto tcp from ! 10.1.1.0/24 to any port
> > 3306
> >
> > Marián
> > --
> > FreeBSD mailing list (users-l at freebsd.cz)
> > http://www.freebsd.cz/listserv/listinfo/users-l
> >
> --
> FreeBSD mailing list (users-l at freebsd.cz)
> http://www.freebsd.cz/listserv/listinfo/users-l



More information about the Users-l mailing list