Packet Filter

This interface gives you the ability to fine tune the packet filter configuration.

General

Firewall settings

Configure Firewall Settings of: The vulture node that you want to configure.
Repository type: Select whether a file or a data repository.
Optional syslog repository: Select a syslog repository that will log pf events.

Firewall Status

The summary of pf status, whether it is currently running or not.
You can also reload the service, which is mandatory after each configuration change.

Configuration

You can add pf rules here.
You have the possibility to tune
Policy: The action of the rule: Block / Pass
Direction: The direction of the rule: Inbound / Outbound / Both
Log: Toggle to log the event
Inet: IP
Protocol: TCP / UDP / ICMP (Ping) / All
Source: The source IP
Destination: The destination IP
Port: The targeted port
Comment: The rule comment
Action: Duplicate or delete the current rule

Blacklist

Permanent blacklist

Here you can enter one IP address or network range per line.
These addresses will be added to the abusive_hosts pf table.

All connexion coming from any IP of this table will be dropped. Starting at GUI-1.41, the limit was set to 3 connexions per second. Since GUI-1.42 the limit was raised to 100 connexion per second

Here is a pf cheat sheet to manage this blacklist table:

Show blacklisted IPs: pfctl -t abusive_hosts -T show

Blacklist the IP '1.2.3.4': pfctl -t abusive_hosts -T add 1.2.3.4

Remove the IP '1.2.3.4' from blacklist: pfctl -t abusive_hosts -T delete 1.2.3.4

If you have a firewall that perform address translation before Vulture, you must disable this feature in pf policy:

Default:                pass log quick inet proto tcp from any to em0 port { 80, 443 } flags S/SA keep state (max-src-conn 100, max-src-conn-rate 100/1, overload <abusive_hosts> flush global)
Need to be changed to:  pass log quick inet proto tcp from any to em0 port { 80, 443 } flags S/SA keep state

SSH Protection

Packet Filter is configured to protect against Brute Force attack on SSH. In case of 3 connections in less than 5 seconds, the IP address is blacklisted.
These addresses will be added to the previous abusive_hosts pf table.

Current active blacklist

Here you will see the result of the following command: pfctl -t abusive_hosts -T show

Advanced configuration

Rules

Raw pf configuration