Date: Fri, 01 Feb 2019 10:33:55 +0100 From: ASV <asv@inhio.net> To: Kristof Provost <kristof@sigsegv.be> Cc: questions list <freebsd-questions@freebsd.org> Subject: Re: PF issue since 11.2-RELEASE Message-ID: <8918ed58705259aebcf0b5254fd28d161b4d31b5.camel@inhio.net> In-Reply-To: <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be> References: <989e79372513e9769c6857b531f14df8ce0b6f3a.camel@inhio.net> <F26DA908-F2AC-4CBF-8227-A4C3D21865EE@FreeBSD.org> <e336fd332455cc9fe9f722482aae09ed6eeab610.camel@inhio.net> <51F0845A-2BB3-4BC9-977D-BB0E6C305ED3@FreeBSD.org> <a801e46a5c4ca3aaa8bc4d6b270319840908ad44.camel@inhio.net> <20190129193609.GB57976@vega.codepro.be> <c89b0bfc5decb895432b8427e4e70d58c5a7f0c9.camel@inhio.net> <2677833F-B2C4-4CCD-B82F-4F3F84B7FFF8@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-vJ0Lt6xFtHRPLpw+rhNf
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote:
> On 31 Jan 2019, at 12:11, ASV wrote:
> > Good afternoon,
> > one good news and one bad news.
> >=20
> > Good news is that it was that bloody zero missing which was
> > "freaking
> > out" PF during the reload. How could I missed that? Perhaps
> > erroneously
> > removed during the upgrade somehow or it was there but not causing
> > problems?! I'll never know. But it's fixed so thank you very much
> > for
> > the good catch!
> >=20
> > The bad news is that PF is still not enforcing the rules within the
> > anchors. So fail2ban keeps populating the tables where the
> > previously
> > mentioned rules are in place (reposted below) but these IPs keeps
> > bombing me with connection attempts passing the firewall with no
> > problems at all. Killing the states, reloading, restarting (PF and
> > fail2ban) doesn't fix that.
> >=20
> > # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
> > block drop quick proto udp from <f2b-asterisk-udp> to any port =3D
> > sip
> > block drop quick proto udp from <f2b-asterisk-udp> to any port =3D
> > sip-tls
> >=20
> > # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
> > block drop quick proto tcp from <f2b-asterisk-tcp> to any port =3D
> > sip
> > block drop quick proto tcp from <f2b-asterisk-tcp> to any port =3D
> > sip-tls
>=20
> I don=E2=80=99t use anchors myself, but don=E2=80=99t you need to call th=
em from your
> main ruleset?
Anchors are called and the blocking rule is set within:
anchor f2b {
anchor asterisk {
block in quick log to any
}
}
so the resulting tables f2b-asterisk-udp and f2b-asterisk-tcp (created
by fail2ban) belonging to the anchor f2b get populated with IP
addresses by fail2ban daemon and then rules are "supposed to" be
enforced. Sorry I've realised that previously I've posted "sip" instead
of "asterisk". I'm heavily testing this stuff through different but
identical files, just some names replaced, which is probably the reason
why you thought I wasn't "calling" them.
fail2ban is supposed to do the rest which is:
- creating the tables: which sometimes works sometimes doesn't but if
you set the tables in the same ruleset at start you'll get the
following:
pfctl: warning: namespace collisions with 2 global tables.
even when these are removed from the running config and manually
reloaded!!!
- enforcing the "ban action": these are pre-set on=20
/usr/local/etc/fail2ban/action.d/pf.conf
and the default one is:
actionban =3D <pfctl> -t <tablename>-<name> -T add <ip>
and it works, the table(s) get populated but rules are not enforced.
Sorry again for the aforementioned typo.
--=-vJ0Lt6xFtHRPLpw+rhNf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAlxUEoMACgkQzaQsUNd+
zIlInQf/VluMF+FZAowkmaIWjkWF51WGtCVwJIamRRbOOLGW0KPvw53zXXN6IJZp
ZkzHBCeuKJEp717R8XMGfrHJzbMzftBgW1XIQpOxu7yUtLbhBIEuf8eygGOv0c5E
91T1JfQFzDDoS+IV1Y/L8eCqrM97WAPaW0ePhmGAewr+2cD4dh5rBI5NsZvlUFvy
qempE6D6KGtRBzDDeGrFrqmqNyBVFTjyrM/LgyMoGjvy119geyNVg+idyt9EL19Q
6FVzYOqMEMowtOa0AMuvr4/xRHEgkSJzw80eVQe09DtgFJUgy1ZORIdEuNOs/gYq
UYFp7VEiSnCUUeds99fJOHHLx3vTlA==
=Jb9X
-----END PGP SIGNATURE-----
--=-vJ0Lt6xFtHRPLpw+rhNf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8918ed58705259aebcf0b5254fd28d161b4d31b5.camel>