From owner-freebsd-questions@freebsd.org  Tue Nov  7 06:22:39 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AA9DE4FE65
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue,  7 Nov 2017 06:22:39 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D7EAB649E6;
 Tue,  7 Nov 2017 06:22:38 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id vA76HEYc048314;
 Tue, 7 Nov 2017 17:17:14 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Tue, 7 Nov 2017 17:17:14 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Cos Chan <rosettas@gmail.com>
cc: freebsd-questions <freebsd-questions@freebsd.org>,
 Michael Ross <gmx@ross.cx>, Kurt Lidl <lidl@freebsd.org>
Subject: Re: How to setup IPFW working with blacklistd
In-Reply-To: <CAKV+xLBWgU6zmc7tQNA=0+=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com>
Message-ID: <20171107162914.G9710@sola.nimnet.asn.au>
References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org>
 <20171106235944.U9710@sola.nimnet.asn.au>
 <CAKV+xLCizjt5M+mJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY+4A@mail.gmail.com>
 <20171107033226.M9710@sola.nimnet.asn.au>
 <CAKV+xLBWgU6zmc7tQNA=0+=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 06:22:39 -0000

On Mon, 6 Nov 2017 22:43:02 +0100, Cos Chan wrote:

 > On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith <smithi@nimnet.asn.au> wrote:
 > 
 > > On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote:
 > >  > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi@nimnet.asn.au> wrote:

[ time to cut mightily .. also cc'ing blacklistd maintainer Kurt Lidl 
<lidl@FreeBSD.org> for whom I'll point to the start of this thread at:
https://lists.freebsd.org/pipermail/freebsd-questions/2017-November/279598.html 
]

 > >  > > and such.  Tables really are the way to go for this sort of thing.
 > >  >
 > >  > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is
 > > good
 > >  > as you said but it needs ipfw-blacklist.rc for ipfw?
 > >  >
 > >  > if [ -f "/etc/ipfw-blacklist.rc" ]; then
 > >  >         pf="ipfw"
 > >  >         . /etc/ipfw-blacklist.rc
 > >  >         ipfw_offset=${ipfw_offset:-2000}
 > >  > fi
 > >  >
 > >  > I could not find this file in /etc/
 > >
 > > Yes, you need to create it.  It's both a "using ipfw" flag and somewhere
 > > to put settings, or at least the needed 'ipfw_offset=4000' one.
 > >
 > > Thanks to Michael Ross for posting the link to these instructions:
 > >
 > >  https://people.freebsd.org/~lidl/blacklistd.html
 > >
 > > I downloaded the tarball from there and checked it out (no 11.x systems
 > > here).  I expect that article has enough info to get you going.

 > Thanks to Michael Ross too.
 > 
 > I have followed the steps but seems not working, here is the ipfw list
 > output:
 > 
 > $ sudo ipfw list
 > 00100 allow ip from any to any via lo0
 > 00200 deny ip from any to 127.0.0.0/8
 > 00300 deny ip from 127.0.0.0/8 to any
 > 00400 deny ip from any to ::1
 > 00500 deny ip from ::1 to any
 > 00600 allow ipv6-icmp from :: to ff02::/16
 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
 > 01100 check-state :default
 > 01200 allow tcp from me to any established
 > 01300 allow tcp from me to any setup keep-state :default
 > 01400 allow udp from me to any keep-state :default
 > 01500 allow icmp from me to any keep-state :default
 > 01600 allow ipv6-icmp from me to any keep-state :default
 > 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
 > 01800 allow udp from any 67 to me dst-port 68 in
 > 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
 > 02000 allow udp from fe80::/10 to me dst-port 546 in
 > 02100 allow icmp from any to any icmptypes 8
 > 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
 > 02300 allow icmp from any to any icmptypes 3,4,11
 > 02400 allow ipv6-icmp from any to any ip6 icmp6types 3
 > 02500 allow tcp from any to me dst-port 22
 > 02600 allow tcp from any to me dst-port 25
 > 02700 allow tcp from any to me dst-port 80
 > 02800 allow tcp from any to me dst-port 443
 > 02900 allow tcp from any to me dst-port 21
 > 65000 count ip from any to any
 > 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in
 > 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
 > 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
 > 65400 deny ip from any to 255.255.255.255
 > 65500 deny ip from any to 224.0.0.0/24 in
 > 65500 deny udp from any to any dst-port 520 in
 > 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
 > 65500 deny ip from any to any
 > 65535 deny ip from any to any
 > 
 > looks like the blacklist records are not added to ipfw.

Indeed, that looks stock standard.

 > I have also tried to add -C option to rc.conf:
 > 
 > blacklistd_enable="YES"
 > blacklistd_flags="-r -C /usr/libexec/blacklistd-helper"
 > 
 > But also not working. The ipfw list output is same as above.

As mentioned, no FreeBSD 11 system here, so I'm punting on the docs.

I suppose you will have created the flagfile?
 # echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc
You could put that in /etc/rc.local to be sure it survives updates.

Clearly ipfw needs to be running before blacklistd starts, as it's using 
/etc/rc.firewall, which begins by flushing all rules.  You could check 
that's observed on startup - as I assume it must be - with:

 % rcorder /etc/rc.d/* | egrep 'ipfw|blacklist'

Secondly, once ipfw's up, you could manually start blacklistd with the 
-d switch (maybe -dv) to run it in forground while it's getting going to 
see what it reports.  -C seems to be default, but your use of -r seems 
smart as ipfw doesn't maintain tables across runs (without scripting).

You could also try uncommenting the 'set -x' in blacklistd-helper to get 
a blow-by-blow list (to stderr) of its progress while doing its thing, 
which should provide some solid clues.

Other than that, I'm flying blind :)

 > > Also, despite no mentions in the manuals, the ipfw implementation does
 > > indeed use tables, and in a sensible fashion, given it fits in with the
 > > existing 'workstation' section in /etc/rc.firewall. Quite clever really.
 > >
 > >  > the rc.conf file was modified to:
 > >  >
 > >  > blacklistd_enable="YES"
 > >  > blacklistd_flags="-C /usr/libexec/blacklistd-helper"
 > >  >
 > >  > and the blacklistd restarted but no luck yet.
 > >
 > > Let us know how it works out?

And thanks for cc'ing me on these, as I take the daily questions-digest.

cheers, Ian