From owner-freebsd-questions@freebsd.org Fri Feb 1 09:34:06 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9968F14C7182 for ; Fri, 1 Feb 2019 09:34:06 +0000 (UTC) (envelope-from asv@inhio.net) Received: from cz-prg-mx-01.inhio.net (mail.inhio.net [178.238.36.226]) by mx1.freebsd.org (Postfix) with ESMTP id 4E2A784330 for ; Fri, 1 Feb 2019 09:34:04 +0000 (UTC) (envelope-from asv@inhio.net) Received: from titanio (titanio.inhio.net [10.0.0.21]) by cz-prg-mx-01.inhio.net (Postfix) with ESMTPSA id 88DE723350; Fri, 1 Feb 2019 10:33:59 +0100 (CET) Message-ID: <8918ed58705259aebcf0b5254fd28d161b4d31b5.camel@inhio.net> Subject: Re: PF issue since 11.2-RELEASE From: ASV To: Kristof Provost Cc: questions list Date: Fri, 01 Feb 2019 10:33:55 +0100 In-Reply-To: <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <20190129193609.GB57976@vega.codepro.be> <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-vJ0Lt6xFtHRPLpw+rhNf" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 X-Rspamd-Queue-Id: 4E2A784330 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of asv@inhio.net designates 178.238.36.226 as permitted sender) smtp.mailfrom=asv@inhio.net X-Spamd-Result: default: False [-4.59 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[inhio.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: mail.inhio.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.01)[-0.014,0]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:24971, ipnet:178.238.32.0/20, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.77)[asn: 24971(-3.87), country: CZ(0.03)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 09:34:06 -0000 --=-vJ0Lt6xFtHRPLpw+rhNf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote: > On 31 Jan 2019, at 12:11, ASV wrote: > > Good afternoon, > > one good news and one bad news. > >=20 > > Good news is that it was that bloody zero missing which was > > "freaking > > out" PF during the reload. How could I missed that? Perhaps > > erroneously > > removed during the upgrade somehow or it was there but not causing > > problems?! I'll never know. But it's fixed so thank you very much > > for > > the good catch! > >=20 > > The bad news is that PF is still not enforcing the rules within the > > anchors. So fail2ban keeps populating the tables where the > > previously > > mentioned rules are in place (reposted below) but these IPs keeps > > bombing me with connection attempts passing the firewall with no > > problems at all. Killing the states, reloading, restarting (PF and > > fail2ban) doesn't fix that. > >=20 > > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules > > block drop quick proto udp from to any port =3D > > sip > > block drop quick proto udp from to any port =3D > > sip-tls > >=20 > > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules > > block drop quick proto tcp from to any port =3D > > sip > > block drop quick proto tcp from to any port =3D > > sip-tls >=20 > I don=E2=80=99t use anchors myself, but don=E2=80=99t you need to call th= em from your > main ruleset? Anchors are called and the blocking rule is set within: anchor f2b { anchor asterisk { block in quick log to any } } so the resulting tables f2b-asterisk-udp and f2b-asterisk-tcp (created by fail2ban) belonging to the anchor f2b get populated with IP addresses by fail2ban daemon and then rules are "supposed to" be enforced. Sorry I've realised that previously I've posted "sip" instead of "asterisk". I'm heavily testing this stuff through different but identical files, just some names replaced, which is probably the reason why you thought I wasn't "calling" them. fail2ban is supposed to do the rest which is: - creating the tables: which sometimes works sometimes doesn't but if you set the tables in the same ruleset at start you'll get the following: pfctl: warning: namespace collisions with 2 global tables. even when these are removed from the running config and manually reloaded!!! - enforcing the "ban action": these are pre-set on=20 /usr/local/etc/fail2ban/action.d/pf.conf and the default one is: actionban =3D -t - -T add and it works, the table(s) get populated but rules are not enforced. Sorry again for the aforementioned typo. --=-vJ0Lt6xFtHRPLpw+rhNf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxUEoMACgkQzaQsUNd+ zIlInQf/VluMF+FZAowkmaIWjkWF51WGtCVwJIamRRbOOLGW0KPvw53zXXN6IJZp ZkzHBCeuKJEp717R8XMGfrHJzbMzftBgW1XIQpOxu7yUtLbhBIEuf8eygGOv0c5E 91T1JfQFzDDoS+IV1Y/L8eCqrM97WAPaW0ePhmGAewr+2cD4dh5rBI5NsZvlUFvy qempE6D6KGtRBzDDeGrFrqmqNyBVFTjyrM/LgyMoGjvy119geyNVg+idyt9EL19Q 6FVzYOqMEMowtOa0AMuvr4/xRHEgkSJzw80eVQe09DtgFJUgy1ZORIdEuNOs/gYq UYFp7VEiSnCUUeds99fJOHHLx3vTlA== =Jb9X -----END PGP SIGNATURE----- --=-vJ0Lt6xFtHRPLpw+rhNf--