10-21-2009, 02:25 PM
So if you want PF to do only one thing, and that is to block particular ip's here is how you do it. Keep in mind, this configuration is a horrible idea for a traditional firewall. So first begin with creating /etc/pf.conf, I use vi, you can use whatever.
ext_if="re0" # External interface
#Block all Ip's in the banned table
table { 192.168.1.1 }
block quick from to any
block quick from any to
pass out keep state
pass in quick on ext_if
conf if your looking for a traditional firewall, this is for the sole purpose of blocking a single IP or IP ranges.
You will need to replace re0 with your interface name and put your IP's to be blocked in the banned table.
You can put entire classes of IP's if you want like: 204.152.64.0/23
and the table should be comma seperated so something like:
table { 192.168.1.1, 204.152.64.0/23 }
Also to get pf.conf to start(FreeBSD, anyway), you need to put this in the rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
ext_if="re0" # External interface
#Block all Ip's in the banned table
table { 192.168.1.1 }
block quick from to any
block quick from any to
pass out keep state
pass in quick on ext_if
conf if your looking for a traditional firewall, this is for the sole purpose of blocking a single IP or IP ranges.
You will need to replace re0 with your interface name and put your IP's to be blocked in the banned table.
You can put entire classes of IP's if you want like: 204.152.64.0/23
and the table should be comma seperated so something like:
table { 192.168.1.1, 204.152.64.0/23 }
Also to get pf.conf to start(FreeBSD, anyway), you need to put this in the rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
I am here to rescue you.