I wondered if someone could help with a little pf file (openbsd 4.4).
I have a ipless bridge on the wan side of my pfsense box at home and have the following rules set for letting everthing though. This way I can have sniff with tcpdump to see passing traffic.
#Bridge so only filter on one interface let all pass on ext_if
pass in quick on $ext_if all
pass out quick on $ext_if all
pass in all
pass out all
The pfsense box is running a pptp server and I thought this pf bridge may be able to restrict pptp traffic to only allow certain external ip addresses into the network.
I would if someone could advise as to the syntax required for doing so.
The pfsense box does have the ability to disable automatically created vpn rules box I would like to learn from a file / command line basis as the openbsd box will probably end up replacing my pfsense box in the end. It's a long way off but pf is great.
So to sum up from the pf example above I would like to allow all apart from vpn coming in from specific ip addresses.
Any help would be appreciated.
Failing that is there a way to stop someone trying to brute force the pptp login? Whilst still allowing all other traffic to flow through.
Last edited by pico; 12th November 2010 at 10:17 AM.
OpenBSD 4.4 has not been supported for more than a year. The current release is 4.8.
Because there have been many changes to PF between 4.4 and 4.8, the PF User's Guide available online from the OpenBSD Project website does not have the same exact rule syntax that you may need.
1) Upgrade to or reinstall a supported version of the OS.
2) Extract the HTML files that match a 4.4-release version of the PF User's Guide from the CVS repository.
In both cases, you will need to read the applicable PF User's Guide. You will find a link to the most recent version of the Guide here.
The rule to prevent certain IP addresses from establishing a connection is the block filter rule. Lists of IP addresses might be most easily managed in a table. Filter rules are described in their own chapter, as are tables.
As for brute force attacks, yes, you can stop them with stateful tracking options, described in the filter rules chapter. Look for overload and flush, and the examples there.
Yes indeed. Although time is a valued commodity these days. I was just looking for a quick fix.
The book is great but having many other things to do as well I have not had quality time for it. No excuse and I was asking too much.
This particular box does need to be upgraded I will have to do so and go by trial and error.
|Thread||Thread Starter||Forum||Replies||Last Post|
|GRE throught OpenBSD 4.5 to 2K3 PPTP vpn||There0||OpenBSD General||3||10th September 2009 12:54 PM|
|PPTP Server, no internet connectivity (routing between interfaces?)||godfrank||FreeBSD Ports and Packages||5||15th April 2009 04:44 PM|
|Problem with pptp||gull||OpenBSD General||2||21st January 2009 04:06 PM|