Pf Rule
Jan 13, 2008
what's wrong with the following? (Besides the half-arsed queueing.)
This is a home router/firewall/NAT machine running OpenBSD. It works fine, but I'm getting periodic log entries about it blocking attempts to connect to TCP port 80 on various sites. And it's legitimate sites that show up in the logs when someone visits them. More confusingly than anything, though, everything works fine despite the log entries.
The logs cite rule 19, which, per pftop, is the following:
19 Block In Log Q dc0 tcp 352 28482 0 return-rst inet all
Where have I gone wrong, and what, exactly, is getting blocked? Again, it's legitimate sites that end users are actually connecting to, not some nefarious thing we've never heard of.
#
int_if = "rl0"
ext_if = "dc0"
# Define a list of IPs that shouldn't ever make it in/out!
nonroute = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }"
# Defrag incoming packets!
scrub in all
## QUEUE TO GO HERE
##
altq on $ext_if bandwidth 750Kb hfsc queue { ack, game, dns, ssh, bulk }
queue ack bandwidth 75% priority 7 qlimit 500 hfsc (realtime 50%)
queue dns bandwidth 7% priority 6 qlimit 500 hfsc (realtime 5%)
queue game bandwidth 7% priority 6 qlimit 500 hfsc (realtime 5%)
queue ssh bandwidth 5% priority 5 qlimit 500 hfsc (realtime 5%)
queue bulk bandwidth 5% priority 1 qlimit 500 hfsc (realtime 5% default)
# Do NAT
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
# Skip loopback
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
# No sense in filtering internal LAN, either
pass out quick on $int_if from any to any
pass in quick on $int_if from any to any
# Block some major crap...
block in log quick on $ext_if inet proto icmp from any to any icmp-type redir
block in quick on $ext_if from $nonroute to any
block out quick on $ext_if from $nonroute to any
## FILTER
# Restrict what ICMP traffic we allow
pass in quick on $ext_if inet proto icmp from any to any icmp-type {
echorep, echoreq, timex, unreach }
block in log quick on $ext_if inet proto icmp from any to any
## TCP
pass in quick on $ext_if inet proto tcp from any to any
flags S/SA keep state
# Let UDP and ICMP out
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
# Pass out!
pass out quick on $ext_if inet proto tcp from any to any port ssh queue (ssh)
pass out quick on $ext_if inet proto tcp from any to any
flags S/SA keep state queue (ack)
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
# Now, we block everything else
block return-rst in log quick on $ext_if inet proto tcp from any to any
block return-icmp in log quick on $ext_if inet proto udp from any to any
block in quick on $ext_if all
View 2 Replies
ADVERTISEMENT
Jul 12, 2008
How can I add nat rule in APF?
I like to create nat rule as below using iptable. But I like to use in APF.
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o venet0:3 -j MASQUERADE
View 4 Replies
View Related
Feb 14, 2007
I have few subdomains pointing to a directory (using dedicated ip an A record)
I need the following rewrite rules:
[url]--> [url]
[url]--> [url]
[url]--> [url]
How can I do this?
View 3 Replies
View Related
Aug 7, 2007
I have to write Rewrite rule at .htaccess file
[url]
goes to
[url]
View 3 Replies
View Related
Jul 9, 2007
How to rewrite a url for example. I purchased ssl for example.com and when i take [url], it gives ssl domain mismatch error.
ie i want to rewrite
[url]
View 1 Replies
View Related
Aug 7, 2008
We installed csf firewall in main node and we have following error when try to start firewall, how can resolve this issue?
[root@m5088 csf]# csf -s
Error: The VPS iptables rule limit (numiptent) is too low (400/400) - stopping firewall to prevent iptables blocking all connections, at line 123
View 3 Replies
View Related
Jun 1, 2008
I have a openvz based vps server, my vps users have "The VPS iptables rule limit (numiptent)" error when try to install and start any firewall.
how can resolve this issue?
View 4 Replies
View Related
Jul 11, 2007
Would anyone be kind enough to give me some pointers to route packets from a specific ip on my subnet via the tun0 OpenVPN interface, and all other hosts out the default route of the main routing table
(192.168.1.1 on br0)?
i.e. 192.168.1.2-9 -> via br0, and 192.168.1.200 -> via tun0
I have created the tables:
mkdir /etc/iproute2
echo 201 table1 >> /etc/iproute2/rt_tables
ip rule add from 192.168.1.200/32 table table1
But i am really stuck from here. I tried adding default routes in the table1 but all traffic stops at this point (i am pinging from the host 192.168.1.200 out onto the net, it works as soon as this command below is entered it times out):
ip route add 10.19.0.5 dev tun0 scope link src 10.19.0.6 table table1 (not sure if this is needed - either way doesnt work with or without) ip route add default via 10.19.0.5 dev tun0 table table1
I did try: ip route add default dev tun0 table table1. and again that fails to work. I appreciate this isnt a guessing game hence moving to post here in hope of some expert advice.
Routing table for the main table (table 1 contains the entries from above commands):
root@OpenWrt:~# ip route list table table1
default via 10.19.0.5 dev tun0
root@OpenWrt:~# ip route list table main
10.20.30.40 via 192.168.1.1 dev br0
10.19.0.1 via 10.19.0.5 dev tun0
10.19.0.5 dev tun0 proto kernel scope link src 10.19.0.6
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.4
default via 192.168.1.1 dev br0
There is a point to point link to the OpenVPN server on 10.19.0.5 with a local address of 10.19.0.6, but im not sure if this needs to be added in the table1? I did try by adding ip route add 10.19.0.5 dev tun0 scope link src 10.19.0.6 table table1, but again still the same issue.
With OpenVPN setup to push the redirect-gateway option, all works well with the routing table and the box acts as a router sending everything through it (table shown below - this works fine apart from everyone is routed through it). As mentioned, I would like the tables default route below to only apply to the host 192.168.1.200. I am posting the table below as this does work for all hosts:
root@OpenWrt:~# ip route list table main
10.20.30.40 via 192.168.1.1 dev br0
10.19.0.1 via 10.19.0.5 dev tun0
10.19.0.5 dev tun0 proto kernel scope link src 10.19.0.6
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.4
default via 10.19.0.5 dev tun0
I am masquerading on tun0 as i will be routing a number of hosts through the router:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
I also run 'ip route flush cache' after i enter the routing commands but to no avail.
View 0 Replies
View Related
Feb 21, 2013
I have page like that : [URL] ....
I want to permanent redirect it to : [URL] ....
Also needs to redirect all another page have words ( rates ) to index.
View 9 Replies
View Related
Apr 29, 2013
I need two rules in apache to work
RewriteRule ^([^/]*).html$ index.php?page=$1 [L]
RewriteRule ^([^/]*)/([^/]*).html$ index.php?pnumber=$1&page=$2 [L]
First one rule does work and /index.php?page=something redirect to /something.html
Second rule does not work /index.php?pnumber=1&page=something need to be /1/something.html
But when make this link i got 404 error the request url not found.
Where is error, an how i can make to second rule work too?
View 1 Replies
View Related
Apr 12, 2007
any good rule to limit Apache (port 80) connections from 1 IP to 15 with iptables/csf?
And total connections to the box to 100?
View 6 Replies
View Related
Dec 17, 2008
how can i block this user agent through mod_rewrite
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and is this agent will affect all the IE 6 users ?
and whats is the difference between the one above and this one :
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)?
View 7 Replies
View Related
Jun 5, 2007
How do I go about converting the follow .htaccess file
Code:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} /blogs/(clientscript|images)/
RewriteRule ^(.*)$ $1 [L]
RewriteRule ^blogs/([-a-z0-9] )/([-a-z0-9] )-([0-9] )/comment-([0-9] ).html blogs/viewblog.php?username=$1&entrytitle=$2&entry=$3&c=$4 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/([-a-z0-9] )-([0-9] )/feed/ blogs/syndication.php?entry=$3 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/([-a-z0-9] )-([0-9] )/ blogs/viewblog.php?username=$1&entrytitle=$2&entry=$3 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/category/([-a-z0-9] ).html blogs/viewblog.php?username=$1&categorydata=$2 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/([0-9]{4})/([0-9]{1,2})/ blogs/viewblog.php?username=$1&month=$3&year=$2 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/([0-9]{4})/([0-9]{1,2})/([0-9]{1,2}).html blogs/viewblog.php?username=$1&month=$3&year=$2&day=$4 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/archive.html blogs/viewblog.php?username=$1&displaymode=archive [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/feed/ blogs/syndication.php?username=$1 [QSA,L]
RewriteRule ^blogs/([-a-z0-9] )/ blogs/viewblog.php?username=$1 [QSA,L]
to work with lighthttpds rules?
View 2 Replies
View Related
Aug 29, 2013
I have a number of WordPress, Drupal, Wiki sites running under RHEL6.
Apache version:httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:18
We are subject to internal scans by Appscan and Tenable. It is a security requirement so I cannot just block them.
The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.
This drives the php content management systems nuts.
Request comes in and is handled by php.
PHP checks the cache for that name and does not find it.
PHP generates a MySQL query and sends it.
MySQL tries and fails to satisfy the query.
MySQL returns result to php.
PHP Writes a cached of the result and presents it to the web.
In other words, a whole lot of processor/memory.
The security scans typically look like......
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................windowswin.ini HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................winntwin.ini HTTP/1.1
I have been able to improve performance, speed and security by mod_rewrite
RewriteRule .*.(dll|ini|exe|com)$ - [R=404,NC]
Now (Finally) the question.
I have not been able to create a rule for the directory recursion.
I want to R=404 any that has a "../.." or "...." or ...." but I can not get it to recognize the string correctly.
I believe that this would improve speed and security.
View 2 Replies
View Related
Aug 13, 2014
I need to implement prevent XSS attacks by using apache rewrite following rewrite rules for all urls of the domain.
Converting < and > to < and >
Converting ( and ) to ( and )
Converting # and & to # and &
& --> &
< --> <
> --> >
" --> "
' --> '
View 2 Replies
View Related
Oct 28, 2014
I just installed httpd-2.4.10-win32 and I can't make mod_rewrite to work :
What I'd want is a proxy to receive a print.xxxx.com/appl uri and forwards to appl.serveur.xxxx.com:8080/streammaster
I do
RewriteCond %{HTTP_HOST} print.xxxx.com
RewriteRule /appl/ http://appl.serveur.xxxx.com:8080/streammaster [P]
and I get a redirect : 192.168.250.50 - - [28/Oct/2014:14:55:19 +0100] "GET /appl/ HTTP/1.1" 302 - mod_proxy is loaded and works of course.
I've tried lot of variations (it works the same in a virtual host without rewritecond) to no avail.
View 4 Replies
View Related
May 10, 2014
I am new to wordpress; I want a url rewrite rule for my htaccess. I want when a user visits www.domain.com/services/manu/ the url on the address bar should be www.domain.com/services/. I don't want a permanent redirect.
View 2 Replies
View Related
Feb 21, 2014
I'm trying to change url structure so instead of /default/category/product.html it would show /category/product.html
With this line I've managed to do it on my personal blog
RedirectMatch 301 /default/(.*) //$1
But when I've implemented it on a customers Magento site it started showing double slashes like this //category/product.html and the whole template just collapsed .
View 17 Replies
View Related
Apr 4, 2009
I am currently trying to limit incoming UDP length 20 packets on a per IP basis to 5 a second using IPTables on a Linux machine (CentOS 5.2).
Basically, if an IP is sending more than 5 length 20 UDP packet a second to the local machine, I would like the machine to drop the excess length 20 packets coming from that IP.
The modules that should work perfectly for this type of "rule set" are;
- Limiting module
- Length module
Both of which are installed / compiled with the kernel/IPTables correctly and functioning.
I have tried several rule sets, and they all seem to not fully work. Either they drop all UDP length 20 packets going to the local machine or allow all them through.
Below is one of the rule sets I use, and it is not working. Any ideas what the issue could be?
iptables -N UDPC1
iptables -A INPUT -p udp -m length --length 20 -j UDPC1
iptables -A UDPC1 -p udp -m length --length 20 -m limit --limit 5/second -j ACCEPT
iptables -A UDPC1 -j DROP
View 1 Replies
View Related
Jun 23, 2008
I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).
Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:
# Restrict witch content encodings we accept.
#
# TODO Most applications support only two encodings for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported encodings.
#
# Note though that ModSecurity parses only three content encodings:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type of encoding is
# inferior.
#
# TODO There are many applications that are not using multipart/form-data
# encoding (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$"
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"
I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.
The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]
What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I have also had this rule triggered today when someone tried to access : ...
View 0 Replies
View Related
Apr 1, 2015
It should be a straight forward change. [URL] .... does not redirect to [URL]...... It simply tries to load /denver-cars/ and denver-cars is in the URL. Am I missing something here? I have tried moving it up and down the list of rules and have tried numerous types of flags to no avail. Everything else in the htacess works fine with out the line:
RewriteRule ^/(.*)-cars/ /newcars-in-$1/ [NC,R=301,L]
Here is my htaccess:
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
# Force www
# Redirect google index dir's to new dir
RewriteRule ^/(.*)-cars/ /newcars-in-$1/ [NC,R=301,L]
[code]....
View 1 Replies
View Related
Sep 28, 2013
I am new to apache, and really terrible with regular expressions.
How to craft an htaccess rule that looks a the URL of the page you are visiting, and redirects HTTPS to the same URL in HTTP if the URL contains a certain text string (in the case the word "products")...
View 1 Replies
View Related
Mar 12, 2015
Is it possible to enable ModSec through plesk, and manage exceptions on a per-domain rule basis?
In other words, is it possible to disable ModSec for only one domain?
View 2 Replies
View Related
Jun 12, 2014
Error when trying to set atomic subscription rule:
Failed to install the ModSecurity rule set: SecReadStateLimit is depricated, use SecConnReadStateLimit instead.
Syntax error on line 70 of /etc/httpd/conf/modsecurity.d/rules/atomic/modsec/00_asl_zz_strict.conf:
Error creating rule: Could not add entry "127.0.0.0/8" from: 127.0.0.0/8.
In directory /etc/httpd/conf/modsecurity.d/rules I have only: atomic.new modsecurity_crs-plesk tortix tortix.backup
There is no file 00_asl_zz_strict.conf
View 8 Replies
View Related
Mar 23, 2015
I have fail2ban and try to install http-get-dos rule. but I have no way to make it work.
Here are my files :
# cat /etc/fail2ban/filter.d/http-get-dos.local
[Definition]
failregex = ^<HOST>.*"GET
ignoreregex =
[Code] ....
Then, when I start fail2ban, I have this thing :
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Creating new jail 'http-get-dos'
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Jail 'http-get-dos' uses Gamin
2015-03-24 00:33:25,474 fail2ban.jail [7070]: INFO Initiated 'gamin' backend
2015-03-24 00:33:25,475 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain1/logs/access_log
2015-03-24 00:33:25,476 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain2/logs/access_log
[Code] ....
So, I do not understand where is coming from the set max... then, in my iptables, I have all the Chains, but not the http-get-dos one :
# iptables -L | grep Chain | grep dos
and finally, I made some stress test, geneating more than 5000hits in 5 min, and no luck, nothing.
If I run failregex :
# fail2ban-regex /var/www/vhosts/mydomain1/logs/access_log /etc/fail2ban/filter.d/http-get-dos.local
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/http-get-dos.local
Use log file : /var/www/vhosts/mydomain1/logs/access_log
Results
=======
Failregex: 55044 total
|- #) [# of hits] regular expression
| 1) [55044] ^<HOST>.*"GET
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [55429] Day/MONTH/Year:Hour:Minute:Second
`-
Lines: 55429 lines, 0 ignored, 55044 matched, 385 missed
Missed line(s): too many to print. Use --print-all-missed to print all 385 lines
Did I miss something in fail2ban configuration ? is there any pb to add custom rule to fail2ban in plesk ?
View 4 Replies
View Related
Nov 11, 2014
very simple spamassassin rule that will do the following…
Give a score of 2
For the word test in the subject field
Then can you tell me where on the Plesk 12 server to place the file for server-wide filtering.
View 2 Replies
View Related
Jun 25, 2013
This is the mod_rewrite rule I'm trying to create. I am very new to Apache admin. Here's the issue:
I have 3 vhosts running on my HTTPD Apache 2.2.24 server: Server1, Server2, Server3. Each vhost is connected to a Weblogic application server. We are trying to prevent access to the Example.portal page on each application server.
So the URLs I'm trying to rewrite are:
- Server1.domain.com/PortalWeb/Example.portal
- Server2.domain.com/PortalWeb/Example.portal
- Server3.domain.com/PortalWeb/Example.portal
So, I would like to redirect the above URLs back to the 'root' of the website. ie: server1.domain.com. Here is my rewrite rule:
RewriteRule ^(.*)/Example.portal$ http://$1 [NC]
So, the rule is matching correctly to URLs that contain Example.portal, however the back reference from (.*) does not seem to map to $1.
View 6 Replies
View Related
Mar 8, 2015
I'm using .htaccess to show existing images instead of images which does not exist.
RewriteBase /images/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)_(.*)1200x900.jpg$ esittely_$21200x900.jpg
RewriteRule liiga1200x10.jpg esittely1200x10.jpg
RewriteRule liiga670x10.jpg esittely670x10.jpg [L]
Everyting works fine if an image does not exist.
But if an image does exist, the second RewriteRule
RewriteRule liiga1200x10.jpg esittely1200x10.jpg
will be used.
Why is that so? How could I modify my code to prevent that?Â
View 2 Replies
View Related
