Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 May 2020 13:31:05 +0100
From:      "Norman Gray" <norman.gray@glasgow.ac.uk>
To:        RW via freebsd-questions <freebsd-questions@freebsd.org>
Subject:   blacklistd: spurious whitelisting of IPs
Message-ID:  <52AD5746-A693-42D2-A4DC-5D38341AA979@glasgow.ac.uk>

next in thread | raw e-mail | index | archive | help

Greetings.

My blacklistctl dump -a output currently looks a bit like this

         address/ma:port	id	nfail	last access
130.209.XX.XX/32:22		0/-1	1970/01/01 01:00:00
   194.XX.XX.XX/32:22		3/-1	2020/05/14 00:35:05
   [ IP addresses partially redacted ]
   [...plus various reasonable-looking lines...]

Both those IP ranges are 'friendly', and the first is the local /16.  
The odd thing is the -1 as the nfail limit, meaning 'do not block' or 
'whitelisted', which I can't explain.

My blacklistd.conf looks like:

[local]
ssh		stream	*	*		*	4	24h
ftp		stream	*	*		*	3	24h
smtp		stream	*	*		*	3	24h
submission	stream	*	*		*	3	24h
*		*	*	*		*	3	60
[remote]
130.209.XX.XX:ssh *	*	*		*	*	*
194.XX.XX.XX:ssh *	*	*		*	*	*
130.209.XX.XX:ssh *	*	*		*	*	*

The [local] stanza is almost the default; the [remote] explicitly 
whitelists three machines.

But the whitelisted machines _do not_ match the nfail=-1 machines in the 
blacklistctl output.  They're in the same 130.209.0.0/16 and 
194.0.0.0/8, but are not the same IP address.  Looking further back, I 
can see a similar pattern, with these netblocks, but no others, 
apparently whitelisted.  What's going on?

It's as if the local lines were being parsed as 130.209.0.0/16:ssh and 
194.0.0.0/8:ssh, but there's nothing in the by-hand parser of the .conf 
file that suggests that's what's happening (see 
<https://github.com/freebsd/freebsd/blob/master/contrib/blacklist/bin/conf.c>; 
lines 224 and 586, last changed March 2018).

The machine this is running on is hosting a couple of jails (one of 
which is the bastion host that this is really protecting, and the 
blacklistd is listening on sockets in both the host and the bastion 
jail), it has four IP addresses (two of which are in a private IP 
range), and it has a non-trivial, but not particularly complicated pf 
firewall configuration.  This is the blacklistd in FreeBSD 
12.0-RELEASE-p8 (I can't find a version option on blacklistd nor any 
version strings in the blacklistd binary).

I'm perplexed.

Best wishes,

Norman


-- 
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52AD5746-A693-42D2-A4DC-5D38341AA979>