PF – Johnny Morano's Tech Articles https://jmorano.moretrix.com Ramblings of an old-fashioned space cowboy Sat, 09 Apr 2022 07:11:26 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://jmorano.moretrix.com/wp-content/uploads/2022/04/cropped-jmorano_emblem-32x32.png PF – Johnny Morano's Tech Articles https://jmorano.moretrix.com 32 32 Time based network access control on OpenBSD https://jmorano.moretrix.com/2022/03/time-based-network-access-control-on-openbsd/ https://jmorano.moretrix.com/2022/03/time-based-network-access-control-on-openbsd/#respond Tue, 01 Mar 2022 13:14:17 +0000 https://jmorano.moretrix.com/?p=1293 Time based ACL (access control lists) features do not exist in BSD’s packet filter (PF). Having your network “shut down” at certain times (for instance, allow certain network ranges or specific IP addresses only during “business hours” or a specific time range), can be achieved with a simple PF table and a cronjob.

First, let’s set up the PF table which will control the traffic. Add the following to your /etc/pf.conf :

# add time block table
table <time_block> { } persist

Next, create a PF rule which block traffic for all entries in the time_block table:

# block all CIDR addresses in the time block table
block in quick log from <time_block> to any

Since the time_block table is still empty, no traffic is actually blocked.

The last thing to implement, is periodically manipulating the time_block table. This could be done by creating two cronjobs:

  1. allow traffic at the beginning of “business hours”
  2. block traffic at the end of “business hours”
crontab -e
# Allow traffic
0 7 * * * /usr/local/scripts/allow_employees.sh > /dev/null 2>&1
# Block traffic
0 17 * * * /usr/local/scripts/block_employees.sh > /dev/null 2>&1


The allow_employees.sh script will allow certain network ranges by ensuring those are removed from the time_block table:

#!/bin/sh

/sbin/pfctl -Td -t time_block 10.1.0.0/24
/sbin/pfctl -Td -t time_block 10.2.0.0/24

The block_employees.sh script will do the exact opposite: it will add ranges to the time_block table so that their network access will be blocked by the firewall:

#!/bin/sh

/sbin/pfctl -Ta -t time_block 10.1.0.0/24
/sbin/pfctl -Ta -t time_block 10.2.0.0/24

Finally deploy your new PF rules (first test them!)

pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf
]]> https://jmorano.moretrix.com/2022/03/time-based-network-access-control-on-openbsd/feed/ 0 Block countries on OpenBSD using pf https://jmorano.moretrix.com/2022/03/block-countries-on-openbsd-using-pf/ https://jmorano.moretrix.com/2022/03/block-countries-on-openbsd-using-pf/#respond Tue, 01 Mar 2022 12:28:09 +0000 https://jmorano.moretrix.com/?p=1291 Same as in the previous article, full countries can be easily blocked on OpenBSD firewall using the pf command and https://ipdeny.com/.

The zone files provided by https://ipdeny.com/ need to be stored locally. A simple way to achieve this is by having a cronjob downloading those periodically (for instance once per day):

#!/bin/sh

# download the latest country zone files
curl -s https://www.ipdeny.com/ipblocks/data/countries/ru.zone > /etc/ru.zone
curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone > /etc/cn.zone


We store them directly to /etc in the above example.

In the /etc/pf.conf, first add a table based on the files you have generated with the above statements:

# add a bad hosts table based on local disk text files
# one CIDR per line
table <badhosts> persist file "/etc/ru.zone" file "/etc/cn.zone"

In the above example, we have created a table called badhosts based on two local files.

Finally we need some rules which actually blocks from and to these network ranges, an example PF block rule could be:

# block bad IP addresses
block from <badhosts> to any
block from any to <badhosts>
]]> https://jmorano.moretrix.com/2022/03/block-countries-on-openbsd-using-pf/feed/ 0