Quote:
Originally Posted by denta
Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).
|
Any concrete examples?
How to fill out the table with list of blocked ips?
My current pf block syntax is:
block drop log
By the way, this is my pf block log.
Quote:
Sep 14 20:52:56.301290 rule 4/(match) block in on pppoe0: 108.168.174.5.443 > 60.53.42.92.36431: FP 0:31(31) ack 1 win 514 <nop,nop,timestamp 2051785347 10995349> (DF)
Sep 14 20:53:33.017906 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 2616242450:2616242450(0) ack 4124174253 win 494 (DF)
Sep 14 20:53:33.305442 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)
Sep 14 20:53:33.615651 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)
Sep 14 20:53:34.234846 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)
|
Quote:
The Email chain referenced included an example to test functionality, using ICMP traffic initiated from a test system.
|
The email chain from Lawrence showing there is pf inbound packet using pass in syntax but i don't have any pass in traffic to serve in my environment. I just want to check for every packet of outbound to the equivalent inbound packet for virus scanning and etc.
EDIT:
Layer 7 protocol inspection
policy filtering (or packet marking), TCP flag state filtering,
Thanks.