From owner-freebsd-questions@freebsd.org Tue Nov 7 11:09:34 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B58DE5553F for ; Tue, 7 Nov 2017 11:09:34 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C0C07A2E8; Tue, 7 Nov 2017 11:09:34 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wr0-x234.google.com with SMTP id j23so7295827wra.9; Tue, 07 Nov 2017 03:09:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+NX5gTNNwOa9EEXvtouGi7KoywsVdJu8CC2Ii82jGuk=; b=BHTWd33VamkBcohEZsiMPK0rY/wEHaYTNkPhm17OVKace61gIUmJyKFE6LsvnzVqAs ObO1oxLVT/hXjhIdXxASHwYcxXh9KyppIITZ9I60L+C2RlP1GuODbsvaXM+MRlLX8lTu Gvrc/8MaBd6+huPbSFMReTY3EYilxst9bb0e4liYluncJA+K4j1W4Ei1f0GoGUoZlMrq +5Lqgk/ySBzqsyvj7GXU9WaFL84XGEG1mqQLb/J19W72Sba3kz3P6mzjYu4FEw8bCPtz cLGQ/ON7f0sErNPgF8AA2kq/zIjE7gjOm8q0jz94O3BlWOPg0usbjFAvk7XVEu4oiVLp GdNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+NX5gTNNwOa9EEXvtouGi7KoywsVdJu8CC2Ii82jGuk=; b=uJnn1ucbjxguul7SoY97cCVdbKjfweFmx0Jukdu2oP3Zwy0qvfv+JOZ6NWj+2rqluS 80luCkGVANk/Ia/gXb0tsoc+Dl/mEWCP7S92AOtHxkMhLAQ9Fb2WlQcnc9HnWvGjOEDd VsByiD5CPvhNzSTR+jXXsrkY224Tu0ODsAUuqBKQl+66VmYfyZ8bAkhZ3yrAFRYkbOC9 /79st2HCrOaL88HuHQhyq/Zn0GGCWPYy0mG7ekCA11WUrIUId+ki/pKpK6Son/s0GVjX DHPtn5p3DA5cSS806eGWQ+9dqmxK4Kt8xEzwxKbu7wua4Ft1Cm705aFXp+63CPRSoXbi 2LMw== X-Gm-Message-State: AJaThX6Ts8ggmTcHiKbObz7ndBHKPfPXWyOYQ+GdHX9nmSkK6jJwnOV0 ykSacOPeasqoXVU4H6XERkmbeZLteC4hN8VASeEongLgb8M= X-Google-Smtp-Source: ABhQp+S4OWoalsGM/dIM5gij5aRjO86PUEPC4ECwjGHt679dF3L3jp9XQ2VVKH0gxYPwPGwkvnMpF7kXL+07c4BD9xw= X-Received: by 10.223.157.207 with SMTP id q15mr813758wre.223.1510052972199; Tue, 07 Nov 2017 03:09:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.10.76 with HTTP; Tue, 7 Nov 2017 03:09:31 -0800 (PST) In-Reply-To: <20171107162914.G9710@sola.nimnet.asn.au> References: <20171106235944.U9710@sola.nimnet.asn.au> <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> From: Cos Chan Date: Tue, 7 Nov 2017 12:09:31 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: freebsd-questions , Michael Ross , Kurt Lidl Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 11:09:34 -0000 On Tue, Nov 7, 2017 at 7:17 AM, Ian Smith wrote: > On Mon, 6 Nov 2017 22:43:02 +0100, Cos Chan wrote: > > > On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith wrote: > > > > > On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote: > > > > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith > wrote: > > [ time to cut mightily .. also cc'ing blacklistd maintainer Kurt Lidl > for whom I'll point to the start of this thread at: > https://lists.freebsd.org/pipermail/freebsd-questions/ > 2017-November/279598.html > ] > > > > > > and such. Tables really are the way to go for this sort of > thing. > > > > > > > > thanks, I studied the /usr/libexec/blacklistd-helper, looks like > it is > > > good > > > > as you said but it needs ipfw-blacklist.rc for ipfw? > > > > > > > > if [ -f "/etc/ipfw-blacklist.rc" ]; then > > > > pf="ipfw" > > > > . /etc/ipfw-blacklist.rc > > > > ipfw_offset=${ipfw_offset:-2000} > > > > fi > > > > > > > > I could not find this file in /etc/ > > > > > > Yes, you need to create it. It's both a "using ipfw" flag and > somewhere > > > to put settings, or at least the needed 'ipfw_offset=4000' one. > > > > > > Thanks to Michael Ross for posting the link to these instructions: > > > > > > https://people.freebsd.org/~lidl/blacklistd.html > > > > > > I downloaded the tarball from there and checked it out (no 11.x > systems > > > here). I expect that article has enough info to get you going. > > > Thanks to Michael Ross too. > > > > I have followed the steps but seems not working, here is the ipfw list > > output: > > > > $ sudo ipfw list > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > 01100 check-state :default > > 01200 allow tcp from me to any established > > 01300 allow tcp from me to any setup keep-state :default > > 01400 allow udp from me to any keep-state :default > > 01500 allow icmp from me to any keep-state :default > > 01600 allow ipv6-icmp from me to any keep-state :default > > 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out > > 01800 allow udp from any 67 to me dst-port 68 in > > 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in > > 02000 allow udp from fe80::/10 to me dst-port 546 in > > 02100 allow icmp from any to any icmptypes 8 > > 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129 > > 02300 allow icmp from any to any icmptypes 3,4,11 > > 02400 allow ipv6-icmp from any to any ip6 icmp6types 3 > > 02500 allow tcp from any to me dst-port 22 > > 02600 allow tcp from any to me dst-port 25 > > 02700 allow tcp from any to me dst-port 80 > > 02800 allow tcp from any to me dst-port 443 > > 02900 allow tcp from any to me dst-port 21 > > 65000 count ip from any to any > > 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in > > 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in > > 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in > > 65400 deny ip from any to 255.255.255.255 > > 65500 deny ip from any to 224.0.0.0/24 in > > 65500 deny udp from any to any dst-port 520 in > > 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in > > 65500 deny ip from any to any > > 65535 deny ip from any to any > > > > looks like the blacklist records are not added to ipfw. > > Indeed, that looks stock standard. > > > I have also tried to add -C option to rc.conf: > > > > blacklistd_enable="YES" > > blacklistd_flags="-r -C /usr/libexec/blacklistd-helper" > > > > But also not working. The ipfw list output is same as above. > > As mentioned, no FreeBSD 11 system here, so I'm punting on the docs. > > I suppose you will have created the flagfile? > # echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc > You could put that in /etc/rc.local to be sure it survives updates. > Exactly, I followed all steps same as https://people.freebsd.org/~ lidl/blacklistd.html except the patch updating since my server is i386. > Clearly ipfw needs to be running before blacklistd starts, as it's using > /etc/rc.firewall, which begins by flushing all rules. You could check > that's observed on startup - as I assume it must be - with: > > % rcorder /etc/rc.d/* | egrep 'ipfw|blacklist' > the output: $ rcorder /etc/rc.d/* | egrep 'ipfw|blacklist' /etc/rc.d/ipfw /etc/rc.d/blacklistd > > Secondly, once ipfw's up, you could manually start blacklistd with the > -d switch (maybe -dv) to run it in forground while it's getting going to > see what it reports. -C seems to be default, but your use of -r seems > smart as ipfw doesn't maintain tables across runs (without scripting). > > You could also try uncommenting the 'set -x' in blacklistd-helper to get > a blow-by-blow list (to stderr) of its progress while doing its thing, > which should provide some solid clues. > I have tried to run $ sudo blacklistd -dvr and $sudo blacklistd -dvr -C /usr/libexec/blacklistd-helper got same result: [local] target type proto owner name nfail duration 25 6 * * * 2 * 22 6 * * * * * 21 6 * * * 2 * [remote] source type proto owner name nfail duration Connected to blacklist server received 0 from poll() ... received 1 from poll() processing type=4 fd=5 remote=121.201.96.113:19720 msg=user uid=0 gid=0 listening socket: 192.168.11.15:22 look: target:192.168.11.15:22, proto:6, family:2, uid:0, name:=, nfail:*, duration:* check: target:25, proto:6, family:*, uid:*, name:*, nfail:2, duration:* check: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* found: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* conf_apply: merge: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* conf_apply: to: target:192.168.11.15:22, proto:6, family:2, uid:0, name:=, nfail:*, duration:* conf_apply: result: target:192.168.11.15:22, proto:6, family:2, uid:*, name:*, nfail:*, duration:* Applied address 121.201.96.113:22 Applied address 121.201.96.113:22 process: initial db state for 121.201.96.113:19720: count=3/-1 last=2017/11/07 11:09:34 now=2017/11/07 11:46:26 process: final db state for 121.201.96.113:19720: count=3/-1 last=2017/11/07 11:09:34 now=2017/11/07 11:46:26 received 1 from poll() processing type=1 fd=5 remote=121.201.96.113:19720 msg=ssh uid=22 gid=22 listening socket: 192.168.11.15:22 look: target:192.168.11.15:22, proto:6, family:2, uid:22, name:=, nfail:*, duration:* check: target:25, proto:6, family:*, uid:*, name:*, nfail:2, duration:* check: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* found: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* conf_apply: merge: target:22, proto:6, family:*, uid:*, name:*, nfail:*, duration:* conf_apply: to: target:192.168.11.15:22, proto:6, family:2, uid:22, name:=, nfail:*, duration:* conf_apply: result: target:192.168.11.15:22, proto:6, family:2, uid:*, name:*, nfail:*, duration:* Applied address 121.201.96.113:22 Applied address 121.201.96.113:22 process: initial db state for 121.201.96.113:19720: count=3/-1 last=2017/11/07 11:09:34 now=2017/11/07 11:46:26 process: final db state for 121.201.96.113:19720: count=4/-1 last=2017/11/07 11:46:26 now=2017/11/07 11:46:26 I can't see the blacklistd-helper was running. The ipfw was running with following options in rc.conf #ipfw firewall_enable="YES" firewall_quiet="YES" firewall_type="open" The outputs of $ sudo ipfw list were not changed after blacklistd running: $ sudo ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 allow ip from any to any 65535 deny ip from any to any the output of $ cat /etc/ipfw-blacklist.rc ifpw_offset=4000 > Other than that, I'm flying blind :) > > > > Also, despite no mentions in the manuals, the ipfw implementation does > > > indeed use tables, and in a sensible fashion, given it fits in with > the > > > existing 'workstation' section in /etc/rc.firewall. Quite clever > really. > > > > > > > the rc.conf file was modified to: > > > > > > > > blacklistd_enable="YES" > > > > blacklistd_flags="-C /usr/libexec/blacklistd-helper" > > > > > > > > and the blacklistd restarted but no luck yet. > > > > > > Let us know how it works out? > > And thanks for cc'ing me on these, as I take the daily questions-digest. > > cheers, Ian > -- with kind regards