From owner-freebsd-questions@freebsd.org Mon Nov 6 21:43:06 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65A0EE67F88 for ; Mon, 6 Nov 2017 21:43:06 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EA78B2D54 for ; Mon, 6 Nov 2017 21:43:05 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wm0-x234.google.com with SMTP id z3so17125323wme.5 for ; Mon, 06 Nov 2017 13:43:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z0/661u+ECXfMkWz90HtnzZgCQQ79OabOLtGD6fWR2A=; b=olWCSC4ya/Ftu7n8iGNArbq4Pps/qTUDZjw2137Ua8sEq5RBOraGkcUf3Lxc7s4Nrv zRg//x7t7Q8+UoIDp305N+qtsWd+zcRlK84BRqmnx1lLcCuKSeBwue2uof6JNGSIQGV7 wlDn2Pg4vBV++dYhMbGG1EIOjhsmMUAwFSXN7GgxMQvafgyjDEpUCPpwHm4gNnQLxJP+ 85/z2sbxFQT9SvEoBR8HG8xzj8N57Ry3LU+jc+wtPNeHZ+dG+P1gNmLWdjuQfd+6rfdt HFyK8KIEBmyMnhNCFQ2OR/eOzzGoji5PK4hIXimU45elipbkhmMiavp5QEvfohqB7xWl ITFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z0/661u+ECXfMkWz90HtnzZgCQQ79OabOLtGD6fWR2A=; b=FpByAJp2PSWZYNAwEOIEfsJFwxHpxgUCKMBCM1Z2SVELue5sefFjdROPm/WFl3Xvz2 qrM2jTuDNpeaZgDPkJ3kCUQAxTw2PnieHHsku5uM5R2xnw9j37FNhimGhHOB6NiwhVeY 71ZuDZwW15A57jmNG1lSYQ8x1alo2EyDdnQCaeyeU9gx/FxzGt5RXXJfWRSXhG59uNNs tS8ebpAhada8Iga9fbrRoD0HixExVNi9cth0RH8rpXKJuCRdNFzljky1ANdWNhxRiG9F 1EfXr8va4Hh37c7WYtdVII8M4OeZgPHFcJ0wYBrgVV70syjzhym8yyklDzPJoIrdZYUU qGjg== X-Gm-Message-State: AJaThX4dgoAPbn5fq7wHf3NjtiDni5+pSCB6LSfpG08Gu9eWTB/X549q bXD0HWnSiOkQXaI5mEKc2BsbSP4KqO+T2Ush76zNtYSd9gI= X-Google-Smtp-Source: ABhQp+Sw2ISZpzuQCJwjxC+7AzxP9mvwDoKsP8N/xz0mbpvDFkir7Fxlgscnlv5KX01prtubdpCIAJLvbzv/mL+bbpc= X-Received: by 10.28.69.91 with SMTP id s88mr6201896wma.19.1510004583388; Mon, 06 Nov 2017 13:43:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.10.76 with HTTP; Mon, 6 Nov 2017 13:43:02 -0800 (PST) In-Reply-To: <20171107033226.M9710@sola.nimnet.asn.au> References: <20171106235944.U9710@sola.nimnet.asn.au> <20171107033226.M9710@sola.nimnet.asn.au> From: Cos Chan Date: Mon, 6 Nov 2017 22:43:02 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: freebsd-questions , Carmel NY , Michael Ross Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 21:43:06 -0000 On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith wrote: > On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote: > > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith wrote: > > > > > In freebsd-questions Digest, Vol 701, Issue 1, Message: 10 > > > On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan > wrote: > > > > > > > Hi All > > > > > > > > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1. > > > > > > > > my blacklistd is working fine to get sshd failed login attempts. > > > > The out put: > > > > > > > > $ sudo blacklistctl dump -b > > > > address/ma:port id nfail last access > > > > 1.1.1.1/32:22 3/-1 2017/11/05 01:05:34 > > > > 2.2.2.2/32:22 3/-1 2017/11/05 13:22:53 > > > > > > > > but I can't find information how to use the blacklistd database in > IPFW > > > > from IPFW manpage > > > > > > > > would anybody explain that to me? > > > > > > By all means work with Carmel's offer to look at parsing the database > > > output. All I know about blacklistd(8), blacklistd.conf(5) and > > > blacklistctl(8) is what I just now read skimming these manual pages. > > > > > > However I was surprised to see no mention of using tables rather than > > > add)ing or rem)oving individual firewall rules - and you can't use > > > 'flush' on individual rules in ipfw(8), only on whole sets of rules. > > > > > > Amother problem with adding/removing individual rules is you need to > > > allocate a large enough block of rules, then specify distinct rule > > > numbers to ipfw(8). Messy and error-prone, especially for deleting. > > > > > > So you might need to replace or modify /usr/libexec/blacklistd- > helper, > > > which I haven't seen but assume is a script, to use its parameters to > > > generate commands more like: > > > > > > /sbin/ipfw table $TABLENAME add addr[/masklen] [value] > > > and > > > /sbin/ipfw table $OTHERNAME delete addr[/masklen] > > > > > > as appropriate. This is immensely more efficient than adding and > > > deleting single rules on the fly, moreso if there are many entries. > > > > > > When adding entries, the optional [value] might be a latest timestamp, > > > or an expiry timestamp, or anything else you might find useful. > > > > > > Of course you may need a number of different tables, for blocking ssh, > > > webhosts, mailserver or other services, but then need just a few rules > > > dedicated to denying (or even specifically enabling) hosts or ports to > > > addr[/masklen/ entries in a particular table. > > > > > > ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup > > > ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup > > > ipfw add deny all from table \($REALLYNASTY\) to any in > > > > > > and such. Tables really are the way to go for this sort of thing. > > > > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is > good > > as you said but it needs ipfw-blacklist.rc for ipfw? > > > > if [ -f "/etc/ipfw-blacklist.rc" ]; then > > pf="ipfw" > > . /etc/ipfw-blacklist.rc > > ipfw_offset=${ipfw_offset:-2000} > > fi > > > > I could not find this file in /etc/ > > Yes, you need to create it. It's both a "using ipfw" flag and somewhere > to put settings, or at least the needed 'ipfw_offset=4000' one. > > Thanks to Michael Ross for posting the link to these instructions: > > https://people.freebsd.org/~lidl/blacklistd.html > > I downloaded the tarball from there and checked it out (no 11.x systems > here). I expect that article has enough info to get you going. > Thanks to Michael Ross too. I have followed the steps but seems not working, here is the ipfw list output: $ sudo ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01100 check-state :default 01200 allow tcp from me to any established 01300 allow tcp from me to any setup keep-state :default 01400 allow udp from me to any keep-state :default 01500 allow icmp from me to any keep-state :default 01600 allow ipv6-icmp from me to any keep-state :default 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out 01800 allow udp from any 67 to me dst-port 68 in 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in 02000 allow udp from fe80::/10 to me dst-port 546 in 02100 allow icmp from any to any icmptypes 8 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129 02300 allow icmp from any to any icmptypes 3,4,11 02400 allow ipv6-icmp from any to any ip6 icmp6types 3 02500 allow tcp from any to me dst-port 22 02600 allow tcp from any to me dst-port 25 02700 allow tcp from any to me dst-port 80 02800 allow tcp from any to me dst-port 443 02900 allow tcp from any to me dst-port 21 65000 count ip from any to any 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in 65400 deny ip from any to 255.255.255.255 65500 deny ip from any to 224.0.0.0/24 in 65500 deny udp from any to any dst-port 520 in 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in 65500 deny ip from any to any 65535 deny ip from any to any looks like the blacklist records are not added to ipfw. I have also tried to add -C option to rc.conf: blacklistd_enable="YES" blacklistd_flags="-r -C /usr/libexec/blacklistd-helper" But also not working. The ipfw list output is same as above. > > Also, despite no mentions in the manuals, the ipfw implementation does > indeed use tables, and in a sensible fashion, given it fits in with the > existing 'workstation' section in /etc/rc.firewall. Quite clever really. > > > the rc.conf file was modified to: > > > > blacklistd_enable="YES" > > blacklistd_flags="-C /usr/libexec/blacklistd-helper" > > > > and the blacklistd restarted but no luck yet. > > Let us know how it works out? > > cheers, Ian > -- with kind regards