It is not often that I need to debug pf firewall rules. Yet, when I do, I cannot remember the commands for what I want to do. What is being blocked First, I want to see the firewall rule numbers in the tcpdump output. I am logging all blocked packets, via pflog0. I can use that to see what is being blocked and by what rule. These are found in my /etc/pf.conf: There […]
Debugging aids for pf firewall rules [on FreeBSD] Read More »
The type of abuse recently seen on FreshPorts isn’t a big deal. I would ignore it if it was on my own server. However, I’m using a “paid” service and the credits go faster when pillocks do pillocky stuff. While I hope I’ve covered what I’ve done, I’ve been sick with a cold for a week, and helping to look after two < 4 year-olds for two weekends in a row. Perhaps I've
fail2ban – adding to my website to deter abuse Read More »
In the past, I have tried vnet jails with pf, and hit trouble. I was never able to get pf to allow the vnet traffic when having a default ‘block log all’ rule. More recently, I encountered the same problem when using byhve. This time, I moved byhve to another host, which is not using pf and I am writing this post to document the issue. This post is based on two gists
Trouble with vnet and pf Read More »
I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync. I suspect firewall rules. Reviewing pflog It is because I use: block log all in /etc/pf.conf pflog_enable=”YES” in /etc/rc.conf that I
Reviewing /var/log/pflog contents Read More »
FreshPorts recently moved to an IPv6-capable server but until today, that capability has not been utilized. There were a number of things I had to configure, but this will not necessarily be an exhaustive list for you to follow. Some steps might be missing, and it might not apply to your situation. All of this took about 3 hours. We are using: FreeBSD 11.1 Bind 9.9.11 nginx 1.12.2 The server configuration This is
Adding IPv6 to an Nginx website on FreeBSD / FreshPorts Read More »
One of the challenges of providing hands-on demonstrations is giving everyone their own sandbox to play in. I don’t want people to spend time on installing software. I want people to learn about the software in question, specifically Bacula. With this in mind, I’ve been building up a solution based on FreeBSD 9.1, ZFS, and jails. My solution is pretty nifty, but I don’t think it’s anything special. The key is simplicity. The
The Bacula Tutorial jail server Read More »