From owner-freebsd-net@freebsd.org Fri May 29 17:31:11 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4FE7D33D900 for ; Fri, 29 May 2020 17:31:11 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from plockton.cent.gla.ac.uk (plockton.cent.gla.ac.uk [130.209.16.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49YWnV30BXz46FW for ; Fri, 29 May 2020 17:31:10 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from cas07.campus.gla.ac.uk ([130.209.14.164]) by plockton.cent.gla.ac.uk with esmtp (Exim 4.72) (envelope-from ) id 1jeiqZ-0003nb-Uc for freebsd-net@freebsd.org; Fri, 29 May 2020 18:31:07 +0100 Received: from CAS08.campus.gla.ac.uk (130.209.14.165) by cas07.campus.gla.ac.uk (130.209.14.164) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 29 May 2020 18:31:07 +0100 Received: from GBR01-LO2-obe.outbound.protection.outlook.com (104.47.21.54) by CAS08.campus.gla.ac.uk (130.209.14.165) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 29 May 2020 18:31:07 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZeH+W8DNEntBXBOEiqo5TL4zbM4a+AHj4rhmhJzqYHyeFtmzv2vuNhHKivZ/oRk4nRvIjOBvbh53u5a2dGyuwKX1eBIObJ6lxz1WIXcSeENU9VBevetz39CEeskM4BUREc5ijgxQZ6ob/v1Wd2NDR/jCoUi0pBp3ZcC/NnqkkUm5y0tU8aIfSSkZs1n6z4pxnbukvOHD3Ry2yRA46jA0An0cFmcrQRWpwanrYW6XyIsMmrSYg9YXgNdxItJXUsp5ebSYk3kNHfhsdESs25csAEg9PspLBFgGLWOBQaO/iJM7WjW9FN9DWWzIfBeaSOl3CaOrDTmX6s/xuo264sywXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+BPuu4eyb/06QygefY8e/A67kEviOSqtLNv0aWiMkWM=; b=LrhDgT/LYdwASCWV2slZoXmW5utZB7DF87sW++CVl+KELOJ0Ka37OKzOIm0YOh6XGwIDYdouVtAkeDADSDY/suOSIC4ZN+Y1CvW3hQEJba6q/fV2RThM0dv7dqJRm8cC1ieodcQVklj5MNQF1Oy43R7SGBCgHnNKcfXL/uRFyPtsyTFW2o1W+VIlUuxLqnzhPmfTzvwi6FP/S2icYSnfgInXjuWEALAbJX9WcI70qm4mUHalXr08axX3RlCfFPM0ZlaHZikb1i/jDv/9CqWie2zR/SQxGl/h2W83Bw0kPTHS+KPHMBDTz6NIPpXPR1rCOpoCqcdFym6MjQ0ao/TCXw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=glasgow.ac.uk; dmarc=pass action=none header.from=glasgow.ac.uk; dkim=pass header.d=glasgow.ac.uk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gla.onmicrosoft.com; s=selector2-gla-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+BPuu4eyb/06QygefY8e/A67kEviOSqtLNv0aWiMkWM=; b=etZuHKBuwZ7D6EeRPetnHrt+OHhfbh3mIiu+1q07fMLO2glJlXXv13BnyEREdBb53brqebzp3RvbcEgRHck8vmd6guNKYMaYwzckr7lN1qtI0GEFUY2cLL0z+lZbitGC9Q07vz52GhuXkwn0Dj1j+DR7rzqsAmOOy3calrpWSO8= Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:8::19) by CWXP265MB0440.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.27; Fri, 29 May 2020 17:31:06 +0000 Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM ([fe80::40d7:744b:8734:b8dd]) by CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM ([fe80::40d7:744b:8734:b8dd%6]) with mapi id 15.20.3045.018; Fri, 29 May 2020 17:31:06 +0000 From: "Norman Gray" To: Subject: blacklistd: spurious whitelisting of IPs Date: Fri, 29 May 2020 18:31:04 +0100 X-Mailer: MailMate (1.13.1r5671) Message-ID: <79E0058D-8D8F-4B81-A1B8-8FA25616A9CF@glasgow.ac.uk> Content-Type: text/plain; format=flowed X-ClientProxiedBy: LO2P265CA0032.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:61::20) To CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:8::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [130.209.33.147] (81.2.70.164) by LO2P265CA0032.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:61::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.21 via Frontend Transport; Fri, 29 May 2020 17:31:06 +0000 X-Mailer: MailMate (1.13.1r5671) X-Originating-IP: [81.2.70.164] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8a710634-f1eb-46d2-96ec-08d803f61173 X-MS-TrafficTypeDiagnostic: CWXP265MB0440: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 04180B6720 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: thA1RAya/pF+UH3zazoJqqL5EKuX/vC2yEcmoukH5HiswvR94u/Heszfw4D/peXZzhywoWAbQYSFh1TuddXqT1d+oudqTimKJFaiQz02MXXnNH1TsRlFe5Tmef4XzstXLKqKt8/oJ7oAynsRp5yoPdvAmJZ6IqzzYHwxAYGBxBbEA0PUKfrh5SCmoamQoYP5m47KzHtk8o15p251BpDvpQqkhiRMNpG21VAE8HGQl6o1doj/y4tAzvm9Jru6HQE79R3LpBUjxTVavIIA1JIczOBocM13AmH+JYKEHaQTIGm/YjQbMhj5e9BKpm1wyR9kkFExE1uzaEWM7fV3uZfucsEC0bxU8MEWqlXpAOpQuyPs+SN6S4qPR2PxCsLOS5I6UKpITUcE7QZdlemOvwweJ+7rOeHJN06uUPytbGWoY2XcujdGUeMugAoktNUsFpf0304dHSzHgslfYAWlX6h4YwQ14Y5kLFvRvEcb2T5uuTs= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(366004)(346002)(396003)(376002)(136003)(39860400002)(786003)(16576012)(478600001)(5660300002)(966005)(36756003)(66476007)(66556008)(8676002)(2906002)(8936002)(66946007)(16526019)(6916009)(186003)(316002)(83380400001)(6706004)(33656002)(52116002)(86362001)(6486002)(956004)(26005)(2616005)(78286006); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: X5By5n6sGj2HebLTiZ8sggXGyYk7C4FtNSLYm0JNyiaeQw+X0lggXXWdtid3yiEyexFFH9RVizKTZM0pfTPRbvWe5ikAmanPkKb+YCO8Bpp+WJHfgZKDDSuDM0+enF2XvD9NddXESkHnFJ2jddE+uf9jqJSxCfe6PVes6HfnVK2AqUn32rdehbOCvociDXRkRV10hD+wxVWXCyFzPqbqVAWqd36reqfvhdUOIwG2PzxlawsFzZvnsBMZi6fvrEkiqZmq55wv3Qo/Tul7wMzWaTBPhaxiAJBMmxd6vyvYgxdhfenppVdd3NskBgUWda3Z9PCcpsQAaQgh9324PrIj9pmbM1AmheIIjDIUb3L3JgY4o2PD4ZuJUGZJ3v/FLO7AQM52bmoX0cdZ52DDdM0Q4iBHTHmHb6EVesSIWh6wtHubee5tQlk2bRVR23LvW2+56bLJ6PSw3g7YxKvGExC0s91Dw5Lkyvc8xOy3CZDnp5E= X-MS-Exchange-CrossTenant-Network-Message-Id: 8a710634-f1eb-46d2-96ec-08d803f61173 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 May 2020 17:31:06.4360 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 6e725c29-763a-4f50-81f2-2e254f0133c8 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ItlpqosDFz+4P+o3F3d0w9AEs6rPzK6o+9xDDzsfnpY5YDAhI7xmlCCGnuC/HKRmU4HowNN01Zq9BfoL0h1coItmQyRUXMsrzZiyFaNhBUo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP265MB0440 X-OriginatorOrg: glasgow.ac.uk X-Rspamd-Queue-Id: 49YWnV30BXz46FW X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gla.onmicrosoft.com header.s=selector2-gla-onmicrosoft-com header.b=etZuHKBu; dmarc=none; spf=none (mx1.freebsd.org: domain of Norman.Gray@glasgow.ac.uk has no SPF policy when checking 130.209.16.75) smtp.mailfrom=Norman.Gray@glasgow.ac.uk X-Spamd-Result: default: False [-4.14 / 15.00]; NEURAL_HAM_MEDIUM(-0.96)[-0.955]; R_DKIM_ALLOW(-0.20)[gla.onmicrosoft.com:s=selector2-gla-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[130.209.16.75:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.996]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[glasgow.ac.uk]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_MED(-0.20)[130.209.16.75:from]; DKIM_TRACE(0.00)[gla.onmicrosoft.com:+]; NEURAL_HAM_SHORT(-0.19)[-0.190]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:786, ipnet:130.209.0.0/16, country:GB]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_SEVEN(0.00)[7]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2020 17:31:11 -0000 Greetings. [I originally posted this to freebsd-questions, but that may have been the wrong list; I hope this one is right] My blacklistctl dump -a output currently looks a bit like this (IP addresses partially redacted): address/ma:port id nfail last access 130.209.XX.XX/32:22 0/-1 1970/01/01 01:00:00 130.209.XX.XX/32:22 6/-1 2020/05/18 11:30:19 194.XX.XX.XX/32:22 3/-1 2020/05/29 00:35:05 194.XX.XX.XX/32:22 154/-1 2020/05/29 12:13:21 [...] 85.130.2.35/32:22 1/4 2020/05/29 10:28:30 [...] The 130.209 is the local /16. The odd thing is the -1 as the nfail limit, meaning 'do not block' or 'whitelisted', which I can't explain. That is, I see a number of lines that I expect, but a good number of nfail=-1 lines in these two netblocks 130.209.0.0/16 and 194.0.0.0/8. I see no nfail=-1 lines outside these netblocks. My blacklistd.conf looks like: [local] ssh stream * * * 4 24h ftp stream * * * 3 24h smtp stream * * * 3 24h submission stream * * * 3 24h * * * * * 3 60 [remote] 130.209.XX.XX:ssh * * * * * * 194.XX.XX.XX:ssh * * * * * * 130.209.XX.XX:ssh * * * * * * The [local] stanza is almost the default; the [remote] explicitly whitelists three machines. But the whitelisted machines _do not_ match the nfail=-1 machines in the blacklistctl output. They're in the same 130.209.0.0/16 and 194.0.0.0/8, but are not the same IP address. It's as if the [remote] lines were being parsed as 130.209.0.0/16:ssh and 194.0.0.0/8:ssh, but there's nothing in the by-hand parser of the .conf file that suggests that's what's happening (see lines 224 and 586, last changed March 2018). What's going on? Why are those ranges whitelisted? A little background: The machine this is running on is hosting three jails (one of which is the bastion host that this is really protecting, and the blacklistd is listening on sockets in both the host and the bastion jail), it has four IP addresses (one host plus three jails, two of which are in the 172.16.0.0/12 private IP range), and it has a non-trivial, but not particularly complicated pf firewall configuration. This is the blacklistd in FreeBSD 12.0-RELEASE-p8 (I can't find a version option on blacklistd nor any version strings in the blacklistd binary). I'm perplexed. Best wishes, Norman -- Norman Gray : http://www.astro.gla.ac.uk/users/norman/it/ Research IT Coordinator SUPA School of Physics and Astronomy, University of Glasgow, UK Charity number SC004401