From owner-freebsd-questions@freebsd.org Sat Nov 18 22:18:19 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA3C0DDDD3B for ; Sat, 18 Nov 2017 22:18:19 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 58D497FA22; Sat, 18 Nov 2017 22:18:19 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id u83so3922651wmb.5; Sat, 18 Nov 2017 14:18:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bgsf7ngCCNvho0t3xRrQsW5kmlbjHS1WrKG8kbr7cs0=; b=Y6Su/J+Yq9w9vpWmctnL2HdIVocyWZVVeAIpGoIFO+4TAO8TI56LXgp0SpPd+TF0zm cKnI5iMUgcJqemNzAWE2Zasg1vKItrXy6OhALEbkVuD1/hitOGD2FnzxMb7ireGKCRzS 9rcpTLnGsFliwV0bEtQu3rAuVXXYE+3hvoGi/iOFtMIb4xVj9wXR2Aec3+eIxqVfWeAy KYQxDEkk//+FL20fkRbs/hYSHt0sIVlaW+J0NUioqpWT/uwrLLAd+Nmgbz3BrUlfjxzs OXJuozaJxG8f0ahRNoUpPOdtqwXctqAixzI0wubaSH+A0hUYaboi/mXp2p8NZZFaP/B0 pALQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bgsf7ngCCNvho0t3xRrQsW5kmlbjHS1WrKG8kbr7cs0=; b=PL8Kc7v0KcT3deB4MxEvBwHus9Nc6pOzD3L2ZNpotKIAIQuZKQg6AkW/dStuPVFk1p Mc/SxWhODVKckpoSEZvGbMTUbFdjdKzgapF8Uw7a43eiMcwKpbPC/xlKxEOnQxbgNiUO bqJjYRrBJpjLHyNF0bqrytFXm2QuCvX05nS3IXdEtSTNktfF99Ms4DmzVUWRXcGwYrHc NtcbmwBMRGE66p2QA0RFb9lUA6hiz3pdJWg3O4xRzzbWNjst7O9MOl9+pdaKKhFi+I2z j94TQDL6toOdunAY/L0jkAJA2EjVCsv45fCiMM6WsfSCCjNY+Dj12T7eOSL58i2pT1Y1 1G+A== X-Gm-Message-State: AJaThX6GyZidcWDe+jePXZmnGd49h6sWPQIKgC4yOpuo/c+3M4vegBdq UuVU6SuzU789vkayX1ubNK4mhm/sMSdoV73sz6M= X-Google-Smtp-Source: AGs4zMY3GPynK/66ZJaEbDfFUOVqqjmcUnrZqSBHCdS89in7epmvu4/WrtBHqFjM+2eNLrJpn+0JiyJTpLNYVmybL0A= X-Received: by 10.28.56.197 with SMTP id f188mr180021wma.35.1511043496615; Sat, 18 Nov 2017 14:18:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.40.214 with HTTP; Sat, 18 Nov 2017 14:18:15 -0800 (PST) In-Reply-To: References: <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115192830.R72828@sola.nimnet.asn.au> <20171117005738.V72828@sola.nimnet.asn.au> From: Cos Chan Date: Sat, 18 Nov 2017 23:18:15 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: Kurt Lidl , freebsd-questions , Michael Ross Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Nov 2017 22:18:20 -0000 On Thu, Nov 16, 2017 at 10:40 PM, Cos Chan wrote: > > > On Thu, Nov 16, 2017 at 3:53 PM, Ian Smith wrote: > >> On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote: >> > On 11/15/17 6:46 AM, Cos Chan wrote: >> > >> > > blacklistd.log: >> > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 >> > > for -1 seconds >> > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK >> > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 >> > > for -1 seconds >> > >> > The "-1 seconds" looks fishy to me. >> > >> > What is the /etc/blacklistd.conf on this machine? >> >> Whether or not the first block succeeded, which if it had, should have >> precluded another one two minutes later .. just on this point: >> >> -1 here means "never remove" ie duration='*', like nfail='*' is also set >> to -1 for 'never block'. Noticed in .. >> >> [ here /usr/head/src/contrib/blacklist/ ] >> bin/blacklistd.c: update(void) >> [..] >> if (c.c_duration == -1 || when >= ts.tv_sec) <<<---- >> continue; >> if (dbi.id[0]) { >> run_change("rem", &c, dbi.id, 0); >> sockaddr_snprintf(buf, sizeof(buf), "%a", ss); >> syslog(LOG_INFO, "released %s/%d:%d after %d >> seconds", >> buf, c.c_lmask, c.c_port, c.c_duration); >> } >> state_del(state, &c); >> >> One of the problems with blocklistd-helper is that return codes from it >> are mostly not checked, in some cases it's run as (void)run_change(..) >> so it's dependant on the helper script succeeding, and simply ignores >> any indicated failure - except possibly for an add operation, where it >> returns -1 if it gets a NULL response (empty string I assume) otherwise >> it returns 0 after copying the output string to the id (here always OK) >> .. but it seems nothing cares about the return code eithe rway .. >> >> A bit more about making the script more robust - and more informative >> for debugging, at least re ipfw - is slowly brewing, but I'm running out >> of spare time at the moment, and will have to quit digging this deep >> into code I'm unlikely ever to run myself :) >> >> [ Cos, do you get any different behaviour if you set duration to some >> value other than '*'? 30d should be near enough forever for testing ] >> > > RIght, I can't see same "increased after ipfw blocked" issue while I > change the * to 30d. > > I will check again tomorrow. > 2 days test on 30d configuration, there is no issue of increasing fail times after IPFW. So, only * option has such issue? > > >> >> cheers, Ian >> > > > > -- > with kind regards > -- with kind regards