version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 author=navic charset=UTF-8 csum= ctime=1622947901 host=2001:bc8:3c96:200::74 name=Openbsd.Pfa rev=9 targets= text=!! remember this%0a[@%0aok so the configuration file is located at /etc/pf.conf%0ato load new changes you will use # pfctl -f /etc/pf.conf%0ausing rc to do it does not work last time I checked :/%0a%0ato enable packet filter run # pfctl -e%0ato disable packet filter run # pfctl -d%0a%0aremember that the last rule applies so if you deny someone from connecting to a port but then allow it right after then the port will be allowed,%0aunless you use `quick` because that means apply now and stop reading%0a@]%0a----%0a%0a!! configuration%0a[@%0aset skip on lo0 # this makes it so packet filter doesn't affect the loop back device%0a%0a# :P marker #1%0a%0ablock in # makes it so by default nothing is allowed in%0apass out # makes it so by default everything is allowed out%0a%0a# now you want to allow some ports%0a# first you type `pass in quick proto`%0a# then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a# now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a# now define the ports `to port {`the ports separated by a space or use : to specify a range'}'%0a%0a# here's a few examples%0apass in quick proto {udp tcp} from any to port {53} # allow anyone to access the dns server%0apass in quick proto tcp from any to port {6667:6669 6697:6699 9999} # allow anyone to access some common irc ports%0a# you can also use certain words but I don't know where you can find the list%0apass in quick proto tcp from any to port {http https} # (80 443) allow anyone to access the http server%0a# now what about restricting ssh?%0apass in quick proto tcp from 1.2.3.4 to port {22} # makes it so the ip 1.2.3.4 can access port 22%0a%0a# cough cough cough%0a# now what about blocking some evil doers?%0a# this is bill bob%0a# _-_%0a# >:%3c%0a# \_/%0a# hes super evil and we know we wants to hack your server so he can boot people,%0a# but we don't want that because that can get us in trouble,%0a# we happen to have gathered a list of all his hacking servers.%0a# we create a folder in /etc called pf and in that folder (/etc/pf) we put in a text file called badhosts%0a# inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other evil doers like bill bob%0a# so now lets make it take affect%0atable %3cbadhosts> persist file "/etc/pf/badhosts"%0a# now we have the table called %3cbadhosts> loaded and can use %3cbadhost> whenever we want to apply a rule to all those ips inside that table%0ablock in quick from %3cbadhosts> # this line basically says all the ips in the badhosts table, 's connections will be dropped now%0a# but remember that the last rule applies so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below,%0a# so because of this you should load the table and add the block before placing all the passes,%0a# the best place to put it would be where marker #1 is%0a# keep in mind that changes to the table only take affect after a reload with the command # pfctl -f /etc/pf.conf%0a%0a# now what about timmy?%0a# this is timmy's upper body... I'm not drawing his entire body again...%0a# ._.%0a# |_|%0a# ; ;%0a# \ \%0a# ...%0a# timmy is a super good boi, timmy is a helper,%0a# timmy will stop at nothing but to protect your server from evil doers like bill bob,%0a# but sometimes you make mistakes, we all do, even timmy,%0a# so sometimes it might be necessary to give timmy access to all ports but this is almost never necessary.%0a# just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts.%0a# so in /etc/pf/ilines you will put timmy's ip but of course only when necessary%0atable %3cilines> persist file "/etc/pf/ilines"%0a# and then allow access to the ports%0apass in quick from %3cilines>%0a# you can put this above marker #1 or below it or just at the very bottom of the configuration file,%0a# but to make the least possible errors that can occur with a big bulky configuration file,%0a# it is advised (recommended) to put it above marker #1.%0a%0a# You can make as meany tables as you want and make groups of whom may access what ports and who isn't allowed to.%0a# go nuts!%0a%0a@] time=1622951346 author:1622951346=navic diff:1622951346:1622951129:=30c30%0a%3c # here's a few examples%0a---%0a> # heres a few examples%0a52c52%0a%3c block in quick from %3cbadhosts> # this line basically says all the ips in the badhosts table, 's connections will be dropped now%0a---%0a> block in quick from %3cbadhosts> # this line basicly says all the ips in the badhosts table, 's connections will be dropped now%0a host:1622951346=2001:bc8:3c96:200::74 author:1622951129=navic diff:1622951129:1622951076:=39c39%0a%3c # now what about blocking some evil doers?%0a---%0a> # now what about blocking some bad peoples?%0a48c48%0a%3c # inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other evil doers like bill bob%0a---%0a> # inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other bad people like bill bob%0a host:1622951129=2001:bc8:3c96:200::74 author:1622951076=navic diff:1622951076:1622949763:=5,11c5,10%0a%3c using rc to do it does not work last time I checked :/%0a%3c %0a%3c to enable packet filter run # pfctl -e%0a%3c to disable packet filter run # pfctl -d%0a%3c %0a%3c remember that the last rule applies so if you deny someone from connecting to a port but then allow it right after then the port will be allowed,%0a%3c unless you use `quick` because that means apply now and stop reading%0a---%0a> useing rc to do it does not work last time I checked :/%0a> %0a> enable packet filter with # pfctl -e%0a> disable packet filter with # pfctl -d%0a> %0a> remember last rule applys so if you deny someone from connecting to a port but then allow it right after then the port will be allowed unless you use `quick` becuse that means apply now and stop reading%0a15c14%0a%3c !! configuration%0a---%0a> !! configureation%0a23a23%0a> %0a28,29c28,29%0a%3c # now define the ports `to port {`the ports separated by a space or use : to specify a range'}'%0a%3c %0a---%0a> # now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a> %0a33c33%0a%3c # you can also use certain words but I don't know where you can find the list%0a---%0a> # you can also use certin words but I don't know whare you can find a list%0a44,46c44,46%0a%3c # hes super evil and we know we wants to hack your server so he can boot people,%0a%3c # but we don't want that because that can get us in trouble,%0a%3c # we happen to have gathered a list of all his hacking servers.%0a---%0a> # hes super evil and we know we wants to hack your server so he can boot people%0a> # but we don't want that becuse that can get us in trouble%0a> # we happend to have gathered a list of all his hacking servers%0a50c50%0a%3c table %3cbadhosts> persist file "/etc/pf/badhosts"%0a---%0a> table %3cbadhosts> presist file "/etc/pf/badhosts"%0a52,55c52,55%0a%3c block in quick from %3cbadhosts> # this line basicly says all the ips in the badhosts table, 's connections will be dropped now%0a%3c # but remember that the last rule applies so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below,%0a%3c # so because of this you should load the table and add the block before placing all the passes,%0a%3c # the best place to put it would be where marker #1 is%0a---%0a> block in quick from %3cbadhosts> # this line basicly says all the ips in the badhosts table, 's connections will be droped now%0a> # but remeber that the last rule applys so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below%0a> # so becuse of this you should load the table and add the block before placeing all the passes%0a> # the best place to put it would be whare marker #1 is%0a68,71c68,71%0a%3c # so sometimes it might be necessary to give timmy access to all ports but this is almost never necessary.%0a%3c # just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts.%0a%3c # so in /etc/pf/ilines you will put timmy's ip but of course only when necessary%0a%3c table %3cilines> persist file "/etc/pf/ilines"%0a---%0a> # so sometimes it might be nesseary to give timmy access to all ports but this is almost never nesseary.%0a> # just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts%0a> # so in /etc/pf/ilines you will put timmy's ip but ofcourse only when nessesary%0a> table %3cilines> presist file "/etc/pf/ilines"%0a75c75%0a%3c # but to make the least possible errors that can occur with a big bulky configuration file,%0a---%0a> # but to make the least possible errors that can accour with a big bulky configuration file,%0a host:1622951076=2001:bc8:3c96:200::74 author:1622949763=navic diff:1622949763:1622948202:=18,19d17%0a%3c # :P marker #1%0a%3c %0a23d20%0a%3c %0a37,80d33%0a%3c %0a%3c # cough cough cough%0a%3c # now what about blocking some bad peoples?%0a%3c # this is bill bob%0a%3c # _-_%0a%3c # >:%3c%0a%3c # \_/%0a%3c # hes super evil and we know we wants to hack your server so he can boot people%0a%3c # but we don't want that becuse that can get us in trouble%0a%3c # we happend to have gathered a list of all his hacking servers%0a%3c # we create a folder in /etc called pf and in that folder (/etc/pf) we put in a text file called badhosts%0a%3c # inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other bad people like bill bob%0a%3c # so now lets make it take affect%0a%3c table %3cbadhosts> presist file "/etc/pf/badhosts"%0a%3c # now we have the table called %3cbadhosts> loaded and can use %3cbadhost> whenever we want to apply a rule to all those ips inside that table%0a%3c block in quick from %3cbadhosts> # this line basicly says all the ips in the badhosts table, 's connections will be droped now%0a%3c # but remeber that the last rule applys so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below%0a%3c # so becuse of this you should load the table and add the block before placeing all the passes%0a%3c # the best place to put it would be whare marker #1 is%0a%3c # keep in mind that changes to the table only take affect after a reload with the command # pfctl -f /etc/pf.conf%0a%3c %0a%3c # now what about timmy?%0a%3c # this is timmy's upper body... I'm not drawing his entire body again...%0a%3c # ._.%0a%3c # |_|%0a%3c # ; ;%0a%3c # \ \%0a%3c # ...%0a%3c # timmy is a super good boi, timmy is a helper,%0a%3c # timmy will stop at nothing but to protect your server from evil doers like bill bob,%0a%3c # but sometimes you make mistakes, we all do, even timmy,%0a%3c # so sometimes it might be nesseary to give timmy access to all ports but this is almost never nesseary.%0a%3c # just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts%0a%3c # so in /etc/pf/ilines you will put timmy's ip but ofcourse only when nessesary%0a%3c table %3cilines> presist file "/etc/pf/ilines"%0a%3c # and then allow access to the ports%0a%3c pass in quick from %3cilines>%0a%3c # you can put this above marker #1 or below it or just at the very bottom of the configuration file,%0a%3c # but to make the least possible errors that can accour with a big bulky configuration file,%0a%3c # it is advised (recommended) to put it above marker #1.%0a%3c %0a%3c # You can make as meany tables as you want and make groups of whom may access what ports and who isn't allowed to.%0a%3c # go nuts!%0a%3c %0a host:1622949763=2a0b:f4c2:2::1 author:1622948202=navic diff:1622948202:1622948148:=7,8c7,11%0a%3c enable packet filter with # pfctl -e%0a%3c disable packet filter with # pfctl -d%0a---%0a> enable with%0a> # pfctl -e%0a> %0a> disable with%0a> # pfctl -d%0a host:1622948202=2a0b:f4c0:16c:1::1 author:1622948148=navic diff:1622948148:1622948106:=1d0%0a%3c !! remember this%0a2a2,3%0a> !! remember this%0a> %0a14c15%0a%3c @]%0a---%0a> %0a18c19%0a%3c [@%0a---%0a> %0a20a22%0a> %0a36a39%0a> %0a host:1622948148=2a0b:f4c0:16c:1::1 author:1622948106=navic diff:1622948106:1622948003:=1d0%0a%3c [@%0a5c4,6%0a%3c to load new changes you will use # pfctl -f /etc/pf.conf%0a---%0a> %0a> to load new changes you will use $ pfctl -f /etc/pf.conf%0a> %0a8,13d8%0a%3c enable with%0a%3c # pfctl -e%0a%3c %0a%3c disable with%0a%3c # pfctl -d%0a%3c %0a26,32c21,27%0a%3c # now you want to allow some ports%0a%3c # first you type `pass in quick proto`%0a%3c # then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a%3c # now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a%3c # now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a%3c %0a%3c # heres a few examples%0a---%0a> \# now you want to allow some ports%0a> \# first you type `pass in quick proto`%0a> \# then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a> \# now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a> \# now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a> %0a> \# heres a few examples%0a35c30%0a%3c # you can also use certin words but I don't know whare you can find a list%0a---%0a> \# you can also use certin words but I don't know whare you can find a list%0a37c32%0a%3c # now what about restricting ssh?%0a---%0a> \# now what about restricting ssh?%0a40d34%0a%3c @]%0a\ No newline at end of file%0a host:1622948106=2a0b:f4c0:16c:1::1 author:1622948003=navic diff:1622948003:1622947901:=21,27c21,27%0a%3c \# now you want to allow some ports%0a%3c \# first you type `pass in quick proto`%0a%3c \# then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a%3c \# now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a%3c \# now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a%3c %0a%3c \# heres a few examples%0a---%0a> # now you want to allow some ports%0a> # first you type `pass in quick proto`%0a> # then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a> # now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a> # now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a> %0a> # heres a few examples%0a30c30%0a%3c \# you can also use certin words but I don't know whare you can find a list%0a---%0a> # you can also use certin words but I don't know whare you can find a list%0a32c32%0a%3c \# now what about restricting ssh?%0a---%0a> # now what about restricting ssh?%0a host:1622948003=2a0b:f4c0:16c:1::1 author:1622947901=navic diff:1622947901:1622947901:=1,34d0%0a%3c !! remember this%0a%3c %0a%3c ok so the configuration file is located at /etc/pf.conf%0a%3c %0a%3c to load new changes you will use $ pfctl -f /etc/pf.conf%0a%3c %0a%3c useing rc to do it does not work last time I checked :/%0a%3c %0a%3c remember last rule applys so if you deny someone from connecting to a port but then allow it right after then the port will be allowed unless you use `quick` becuse that means apply now and stop reading%0a%3c %0a%3c ----%0a%3c %0a%3c !! configureation%0a%3c %0a%3c set skip on lo0 # this makes it so packet filter doesn't affect the loop back device%0a%3c %0a%3c %0a%3c block in # makes it so by default nothing is allowed in%0a%3c pass out # makes it so by default everything is allowed out%0a%3c %0a%3c # now you want to allow some ports%0a%3c # first you type `pass in quick proto`%0a%3c # then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`%0a%3c # now you want to say who is allowed, this can either be a ip, table or "any" `from any`%0a%3c # now define the ports `to port {`the ports seperated by space or use : to spesify a range'}'%0a%3c %0a%3c # heres a few examples%0a%3c pass in quick proto {udp tcp} from any to port {53} # allow anyone to access the dns server%0a%3c pass in quick proto tcp from any to port {6667:6669 6697:6699 9999} # allow anyone to access some common irc ports%0a%3c # you can also use certin words but I don't know whare you can find a list%0a%3c pass in quick proto tcp from any to port {http https} # (80 443) allow anyone to access the http server%0a%3c # now what about restricting ssh?%0a%3c pass in quick proto tcp from 1.2.3.4 to port {22} # makes it so the ip 1.2.3.4 can access port 22%0a%3c %0a host:1622947901=2a0b:f4c0:16c:1::1