From owner-freebsd-bugs@freebsd.org Tue Jun 16 15:46:02 2020 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 01D6933F0DE for ; Tue, 16 Jun 2020 15:46:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 49mXbs6LJJz4CDL for ; Tue, 16 Jun 2020 15:46:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id D99AE33F2D3; Tue, 16 Jun 2020 15:46:01 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D964233F0DC for ; Tue, 16 Jun 2020 15:46:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49mXbs5RGwz4C73 for ; Tue, 16 Jun 2020 15:46:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B608A119FA for ; Tue, 16 Jun 2020 15:46:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 05GFk1Vb086958 for ; Tue, 16 Jun 2020 15:46:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 05GFk1H4086957 for bugs@FreeBSD.org; Tue, 16 Jun 2020 15:46:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 247309] blacklistd: spurious whitelisting IPv4 Date: Tue, 16 Jun 2020 15:46:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: gray@nxg.name X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jun 2020 15:46:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D247309 Bug ID: 247309 Summary: blacklistd: spurious whitelisting IPv4 Product: Base System Version: 12.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: gray@nxg.name blacklistd appears to whitelist entire netblocks after individual hosts are mentioned in [remote] stanzas in blacklistd.conf I'm afraid I don't have the resources to do a detailed reduction/reproducti= on, but I hope the notes below will be indicative. What I expect from the configuration described below is that the hosts listed in the [remote] stanza should be individually whitelisted, but that other nearby hosts should be covered by the [local] rules as usual (ie, not whitelisted). The actual results are that a large number of hosts are apparently whitelis= ted (indicated by NNN/-1 in the blacklistctl output). These appear to be in /1= 6 or /8 netblocks associated with the whitelisted hosts. My blacklistctl dump -a output currently looks a bit like this (IP addresses partially redacted): address/ma:port id nfail last access 130.209.XX.XX/32:22 0/-1 1970/01/01 01:00:00 130.209.XX.XX/32:22 6/-1 2020/05/18 11:30:19 194.XX.XX.XX/32:22 3/-1 2020/05/29 00:35:05 194.XX.XX.XX/32:22 154/-1 2020/05/29 12:13:21 [...] 85.130.2.35/32:22 1/4 2020/05/29 10:28:30 [...] The 130.209 is the local /16. The odd thing is the -1 as the nfail limit, meaning 'do not block' or 'whitelisted', which I can't explain. That is, I= see a number of lines that I expect, but a good number of nfail=3D-1 lines in t= hese two netblocks 130.209.0.0/16 and 194.0.0.0/8. I see no nfail=3D-1 lines ou= tside these netblocks. My blacklistd.conf looks like: [local] ssh stream * * * 4 24h ftp stream * * * 3 24h smtp stream * * * 3 24h submission stream * * * 3 24h * * * * * 3 60 [remote] 130.209.NN.NN:ssh * * * * * * 194.NN.NN.NN:ssh * * * * * * 130.209.MM.MM:ssh * * * * * * The [local] stanza is almost the default; the [remote] explicitly whitelists three machines. But the whitelisted machines _do not_ match the nfail=3D-1 machines in the blacklistctl output. They're in the same 130.209.0.0/16 and 194.0.0.0/8, b= ut are not the same IP address. It's as if the [remote] lines were being parsed as 130.209.0.0/16:ssh and 194.0.0.0/8:ssh, but there's nothing in the by-hand parser of the .conf file that suggests that's what's happening (see lines 224 and 586, last changed March 2018). Looking around, bug #243164 appears to be a different problem, but also possibly to do with either the whitelisting logic or the parsing of the config file.= =20 The discussion there also mentions the custom config file parser. A little background: The machine this is running on is hosting three jails (one of which is the bastion host that this is really protecting, and the blacklistd is listenin= g on sockets in both the host and that bastion jail), it has four IP addresses (= one host plus three jails, two of which are in the 172.16.0.0/12 private IP ran= ge), and it has a non-trivial, but not particularly complicated pf firewall configuration. This is the blacklistd in FreeBSD 12.0-RELEASE-p8 (I can't find a version option on blacklistd nor any version strings in the blacklistd binary). I posted a question about this on the net@freebsd list (https://lists.freebsd.org/pipermail/freebsd-net/2020-May/055920.html), since I wondered if this was a documentation issue, and simply didn't understand the config file format. --=20 You are receiving this mail because: You are the assignee for the bug.=