From owner-freebsd-questions@freebsd.org Mon Nov 6 14:10:11 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92F1DE5F07A for ; Mon, 6 Nov 2017 14:10:11 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF24E70696 for ; Mon, 6 Nov 2017 14:10:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id vA6E9wh3014523; Tue, 7 Nov 2017 01:09:59 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 7 Nov 2017 01:09:58 +1100 (EST) From: Ian Smith To: Cos Chan cc: freebsd-questions@freebsd.org, Carmel NY Subject: Re: How to setup IPFW working with blacklistd In-Reply-To: Message-ID: <20171106235944.U9710@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 14:10:11 -0000 In freebsd-questions Digest, Vol 701, Issue 1, Message: 10 On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan wrote: > Hi All > > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1. > > my blacklistd is working fine to get sshd failed login attempts. > The out put: > > $ sudo blacklistctl dump -b > address/ma:port id nfail last access > 1.1.1.1/32:22 3/-1 2017/11/05 01:05:34 > 2.2.2.2/32:22 3/-1 2017/11/05 13:22:53 > > but I can't find information how to use the blacklistd database in IPFW > from IPFW manpage > > would anybody explain that to me? By all means work with Carmel's offer to look at parsing the database output. All I know about blacklistd(8), blacklistd.conf(5) and blacklistctl(8) is what I just now read skimming these manual pages. However I was surprised to see no mention of using tables rather than add)ing or rem)oving individual firewall rules - and you can't use 'flush' on individual rules in ipfw(8), only on whole sets of rules. Amother problem with adding/removing individual rules is you need to allocate a large enough block of rules, then specify distinct rule numbers to ipfw(8). Messy and error-prone, especially for deleting. So you might need to replace or modify /usr/libexec/blacklistd-helper, which I haven't seen but assume is a script, to use its parameters to generate commands more like: /sbin/ipfw table $TABLENAME add addr[/masklen] [value] and /sbin/ipfw table $OTHERNAME delete addr[/masklen] as appropriate. This is immensely more efficient than adding and deleting single rules on the fly, moreso if there are many entries. When adding entries, the optional [value] might be a latest timestamp, or an expiry timestamp, or anything else you might find useful. Of course you may need a number of different tables, for blocking ssh, webhosts, mailserver or other services, but then need just a few rules dedicated to denying (or even specifically enabling) hosts or ports to addr[/masklen/ entries in a particular table. ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup ipfw add deny all from table \($REALLYNASTY\) to any in and such. Tables really are the way to go for this sort of thing. cheers, Ian