Blacklist and Whitelist pf Firewall FreeBSD

Blacklist and Whitelist pf Firewall FreeBSD

pada file pf.conf

Tambahkan Rule :

table <white-list> persist file "/etc/pf/white-list"
table <black-list> persist file "/etc/pf/black-list"

block in from { <black-list> } to any

pass in quick from { <white-list> } to any port 22 (Jika izinkan port 22)

pass in quick from { <white-list> } to any (Jika seluruh port)

Tambahkan IP pada file whitelist atau blacklist

atau bisa menggunakan perintah :

pfctl t white-list T add

untuk melihat hasilnya :

pfctl t white-list T show

Untuk menghapus :

pfctl t white-list T delete

Membaca log :

# tcpdump -n -e -ttt -r /var/log/pflog
Note that using tcpdump to watch the pflog file does not give a real-time display. A real-time display of logged packets is achieved by using the pflog0 interface:
# tcpdump -n -e -ttt -i pflog0
When examining the logs, special care should be taken with tcpdump’s verbose protocol decoding (activated via the -v command line option). tcpdump’s protocol decoders do not have a perfect security history. At least in theory, a delayed attack could be possible via the partial packet payloads recorded by the logging device. It is recommended practice to move the log files off of the firewall machine before examining them in this way.
Additional care should also be taken to secure access to the logs. By default, pflogd will record 160 bytes of the packet in the log file. Access to the logs could provide partial access to sensitive packet payloads.

Filtering Log Output
Because pflogd logs in tcpdump binary format, the full range of tcpdump features can be used when reviewing the logs. For example, to only see packets that match a certain port:
# tcpdump -n -e -ttt -r /var/log/pflog port 80
This can be further refined by limiting the display of packets to a certain host and port combination:
# tcpdump -n -e -ttt -r /var/log/pflog port 80 and host
The same idea can be applied when reading from the pflog0 interface:
# tcpdump -n -e -ttt -i pflog0 host

Referensi :

Posted on: July 11, 2023, by :  | 17 views