Obmedzenie portu 3306 cez firewall PF
Miroslav Lachman
000.fbsd at quip.cz
Sun Jun 6 13:22:12 CEST 2021
On 06/06/2021 12:10, Frantisek Hennel wrote:
> Dakujem, ale ani toto mi nefunguje :-(. Rozsiril som svoje pravidla o tie
> tvoje a toto je vysledok.
> Reloading pf rules.
> /etc/pf.conf:6: port only applies to tcp/udp
> /etc/pf.conf:6: skipping rule due to errors
> /etc/pf.conf:6: rule expands to no valid combination
> /etc/pf.conf:7: port only applies to tcp/udp
> /etc/pf.conf:7: skipping rule due to errors
> /etc/pf.conf:7: rule expands to no valid combination
Doporucuji dodrzovat poradi, tak jak se pise v man pf.conf
STATEMENT ORDER
There are seven types of statements in pf.conf:
Macros
Tables
Options
Traffic Normalization (e.g. scrub)
Queueing
Translatio
Packet Filtering
Zkusil bych to takhle:
#################
ext_if="em0" # interface connected to internet
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
block drop in log (all) quick on $ext_if from <blockedips> to any
block drop in log (all) quick on $ext_if proto tcp from ! <mwhite> to
any port 3306
#################
U me test syntaxe prosel:
root at tester ~/ # pfctl -nvf pf.conf
ext_if = "em0"
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
block drop in log (all) quick on em0 from <blockedips> to any
block drop in log (all) quick on em0 proto tcp from ! <mwhite> to any
port = mysql
Jinak misto "to any" lze pouzit i "to self". A ja osobne bych ty
pravidla radeji postavil tak, ze bych blokoval vsechno a vsude a pristup
jmenovite povoloval na to, co chci mit skutecne otevrene ven. Nikdy
nevis, kdy se ti tam "sama spustit" nejake sluzba... YMMV
Mirek
More information about the Users-l
mailing list