Date: Tue, 7 Nov 2017 03:50:44 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Cos Chan <rosettas@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org>, Carmel NY <carmel_ny@outlook.com>, Michael Ross <gmx@ross.cx> Subject: Re: How to setup IPFW working with blacklistd Message-ID: <20171107033226.M9710@sola.nimnet.asn.au> In-Reply-To: <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote:
> On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi@nimnet.asn.au> wrote:
>
> > In freebsd-questions Digest, Vol 701, Issue 1, Message: 10
> > On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan <rosettas@gmail.com> wrote:
> >
> > > Hi All
> > >
> > > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1.
> > >
> > > my blacklistd is working fine to get sshd failed login attempts.
> > > The out put:
> > >
> > > $ sudo blacklistctl dump -b
> > > address/ma:port id nfail last access
> > > 1.1.1.1/32:22 3/-1 2017/11/05 01:05:34
> > > 2.2.2.2/32:22 3/-1 2017/11/05 13:22:53
> > >
> > > but I can't find information how to use the blacklistd database in IPFW
> > > from IPFW manpage
> > >
> > > would anybody explain that to me?
> >
> > By all means work with Carmel's offer to look at parsing the database
> > output. All I know about blacklistd(8), blacklistd.conf(5) and
> > blacklistctl(8) is what I just now read skimming these manual pages.
> >
> > However I was surprised to see no mention of using tables rather than
> > add)ing or rem)oving individual firewall rules - and you can't use
> > 'flush' on individual rules in ipfw(8), only on whole sets of rules.
> >
> > Amother problem with adding/removing individual rules is you need to
> > allocate a large enough block of rules, then specify distinct rule
> > numbers to ipfw(8). Messy and error-prone, especially for deleting.
> >
> > So you might need to replace or modify /usr/libexec/blacklistd-helper,
> > which I haven't seen but assume is a script, to use its parameters to
> > generate commands more like:
> >
> > /sbin/ipfw table $TABLENAME add addr[/masklen] [value]
> > and
> > /sbin/ipfw table $OTHERNAME delete addr[/masklen]
> >
> > as appropriate. This is immensely more efficient than adding and
> > deleting single rules on the fly, moreso if there are many entries.
> >
> > When adding entries, the optional [value] might be a latest timestamp,
> > or an expiry timestamp, or anything else you might find useful.
> >
> > Of course you may need a number of different tables, for blocking ssh,
> > webhosts, mailserver or other services, but then need just a few rules
> > dedicated to denying (or even specifically enabling) hosts or ports to
> > addr[/masklen/ entries in a particular table.
> >
> > ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup
> > ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup
> > ipfw add deny all from table \($REALLYNASTY\) to any in
> >
> > and such. Tables really are the way to go for this sort of thing.
>
> thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is good
> as you said but it needs ipfw-blacklist.rc for ipfw?
>
> if [ -f "/etc/ipfw-blacklist.rc" ]; then
> pf="ipfw"
> . /etc/ipfw-blacklist.rc
> ipfw_offset=${ipfw_offset:-2000}
> fi
>
> I could not find this file in /etc/
Yes, you need to create it. It's both a "using ipfw" flag and somewhere
to put settings, or at least the needed 'ipfw_offset=4000' one.
Thanks to Michael Ross for posting the link to these instructions:
https://people.freebsd.org/~lidl/blacklistd.html
I downloaded the tarball from there and checked it out (no 11.x systems
here). I expect that article has enough info to get you going.
Also, despite no mentions in the manuals, the ipfw implementation does
indeed use tables, and in a sensible fashion, given it fits in with the
existing 'workstation' section in /etc/rc.firewall. Quite clever really.
> the rc.conf file was modified to:
>
> blacklistd_enable="YES"
> blacklistd_flags="-C /usr/libexec/blacklistd-helper"
>
> and the blacklistd restarted but no luck yet.
Let us know how it works out?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171107033226.M9710>