From owner-freebsd-questions@freebsd.org Mon Nov 6 15:41:44 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2000EE61314 for ; Mon, 6 Nov 2017 15:41:44 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A5F2A74587 for ; Mon, 6 Nov 2017 15:41:43 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id r68so14711003wmr.1 for ; Mon, 06 Nov 2017 07:41:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fL7MErtjnx2fFOvFsSWJRuTQ2yzLZ6R1GbKJ9GoxYls=; b=oCP3ORVzrqiL985+riidCC3VispaQGKB/R3/+1vGW6JcvT2+BM9ApmcTfPa8lUHxT8 oUd6pmO53KVvPTbFgXSFXjaXHE98DsrB7Oyp3fej2mlef2C5o4lfQlFzVpiO2J+13GQU mHsJpSWSWEVKpjIS3kuwj/3bqThQ09IDsVt9q/ykrVidQ4b1NsPhEUte6BNcdebn0e9O 2ErafQuxKDHr8P6IpLwKdB4eU3+jQd+FVRxw1akCLGQaJDXKHbLES5E5bb1vSh1nMVFl JbcVhoJYxgZJ2IHUTCjJCava2n6rXLSXQ/tbrWG3Z1fETKAZ+m22XwZnpO9+joUvoG4F gI4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fL7MErtjnx2fFOvFsSWJRuTQ2yzLZ6R1GbKJ9GoxYls=; b=boL9pkWCvJfpX23fCE9mkqoaxIr/D2eyrOI2hCsrAKcVRUCSg2gMeWy+HbCwZkOZAC HEhH16HHS8WXJHtTGKi64jaKNkERUscvZ+EMKJ7FAzLQ6Vq4Fh5mIdm7NVDBTNtMNx78 gsRFUYuexbWglNbTCM+nvyGOmRFx3vkeLCwAXsYBF2vmA++YmD7zpssn9E1Qjwr+b6vL DsmKEII9uhmuauh5YVq7NtelVHE0H7gCWyFYT6dTkJKRcgR6MHgAESWNRsIbxECknd2y Y63e7ryrCaxxNbTAJtQRDxCMsqiLYcGIjsM/G+4kpcgEoB/sBk0qNLBK9xV73VvDx+iw +bag== X-Gm-Message-State: AJaThX7YSI32NPXBAjCrWMQqkkTjwHohkM95LsK7VhrOH7oowADJ602b XZ3l+RGcAZTIDGbRr+IfRrvXae7Oz6kli2ryNhY= X-Google-Smtp-Source: ABhQp+RtvaXya/a2gw4BEUlQJiNndwOZDmOMFc5hJNJdO6o3J9gkhTUlLDTtVnzaCScrCM4OOGLjq0A4SO53yiINCcA= X-Received: by 10.28.227.139 with SMTP id a133mr5960574wmh.104.1509982902210; Mon, 06 Nov 2017 07:41:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.10.76 with HTTP; Mon, 6 Nov 2017 07:41:41 -0800 (PST) In-Reply-To: <20171106235944.U9710@sola.nimnet.asn.au> References: <20171106235944.U9710@sola.nimnet.asn.au> From: Cos Chan Date: Mon, 6 Nov 2017 16:41:41 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: freebsd-questions , Carmel NY Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 15:41:44 -0000 On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith wrote: > In freebsd-questions Digest, Vol 701, Issue 1, Message: 10 > On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan wrote: > > > Hi All > > > > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1. > > > > my blacklistd is working fine to get sshd failed login attempts. > > The out put: > > > > $ sudo blacklistctl dump -b > > address/ma:port id nfail last access > > 1.1.1.1/32:22 3/-1 2017/11/05 01:05:34 > > 2.2.2.2/32:22 3/-1 2017/11/05 13:22:53 > > > > but I can't find information how to use the blacklistd database in IPFW > > from IPFW manpage > > > > would anybody explain that to me? > > By all means work with Carmel's offer to look at parsing the database > output. All I know about blacklistd(8), blacklistd.conf(5) and > blacklistctl(8) is what I just now read skimming these manual pages. > > However I was surprised to see no mention of using tables rather than > add)ing or rem)oving individual firewall rules - and you can't use > 'flush' on individual rules in ipfw(8), only on whole sets of rules. > > Amother problem with adding/removing individual rules is you need to > allocate a large enough block of rules, then specify distinct rule > numbers to ipfw(8). Messy and error-prone, especially for deleting. > > So you might need to replace or modify /usr/libexec/blacklistd-helper, > which I haven't seen but assume is a script, to use its parameters to > generate commands more like: > > /sbin/ipfw table $TABLENAME add addr[/masklen] [value] > and > /sbin/ipfw table $OTHERNAME delete addr[/masklen] > > as appropriate. This is immensely more efficient than adding and > deleting single rules on the fly, moreso if there are many entries. > > When adding entries, the optional [value] might be a latest timestamp, > or an expiry timestamp, or anything else you might find useful. > > Of course you may need a number of different tables, for blocking ssh, > webhosts, mailserver or other services, but then need just a few rules > dedicated to denying (or even specifically enabling) hosts or ports to > addr[/masklen/ entries in a particular table. > > ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup > ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup > ipfw add deny all from table \($REALLYNASTY\) to any in > > and such. Tables really are the way to go for this sort of thing. > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is good as you said but it needs ipfw-blacklist.rc for ipfw? if [ -f "/etc/ipfw-blacklist.rc" ]; then pf="ipfw" . /etc/ipfw-blacklist.rc ipfw_offset=${ipfw_offset:-2000} fi I could not find this file in /etc/ the rc.conf file was modified to: blacklistd_enable="YES" blacklistd_flags="-C /usr/libexec/blacklistd-helper" and the blacklistd restarted but no luck yet. > > cheers, Ian > -- with kind regards