Date: Fri, 18 Mar 2016 16:27:32 +0200 From: Petri Riihikallio <petri.riihikallio@metis.fi> To: Mark Felder <feld@FreeBSD.org> Cc: ports@FreeBSD.org Subject: Re: FreeBSD Port: sshguard-1.6.3 IPFW tule missing Message-ID: <7BF6A21D-C2C5-4E26-9DFA-4A5E2249AD1D@metis.fi> In-Reply-To: <1458219850.1252125.551938618.234203BC@webmail.messagingengine.com> References: <172178A6-5745-41A8-A7D0-3D99286AA67B@metis.fi> <1458219850.1252125.551938618.234203BC@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Thanks for reply! > I'm not aware of sshguard automatically adding the "deny ip from > table(22) to me" rule to ipfw. This would be a very difficult thing to > do reliably as a complex firewall ruleset may need this deny rule > somewhere different than the very first rule. I certainly don't have = it > as the first rule for my firewall. After the revamp of IPFW support in SSHGuard it took me a while to = figure out why it wasn=E2=80=99t guarding anything anymore and then how = to fix it. After some time I found out I had two identical rules (but = different numbers). Then it took me again a while to figure out where = the other rule was coming from, before I found it at the end of = /usr/local/etc/rc.d/sshguard. Now it isn't there anymore. Of course I could be just dreaming, because I don=E2=80=99t have any = evidence. I love my FreeBSD boxes because I can get away with so little = maintenance. Someone could argue I am neglecting them. That=E2=80=99s = why I am only fixing things afterwards, when something gets broken. My setup is working fine again. I just would like to help others who are = setting up SSHGuard for the first time. It would have saved me some = headscratching if something like 'ipfw "add 55000 deny ip from table(22) = to me=E2=80=9D=E2=80=99 would be set up as an example in the startup = script - even if it was commented out. It could also be at the = beginning, in the section "Add the following lines to /etc/rc.conf to = enable sshguard=E2=80=9D where it would also make sense. br, Petri --Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJW7BBVAAoJEKC/SGlTOTYltKEQAI+4tFl1xbtj0RNocaxrA0gR nPZTxWwDYRXbne7WU3ZM0XS1NB4fLXJNNZZ2iEB4cQ9g0qEVRhJjdGBui9TF/9c1 ct8v6+E6kz8yNwNX1TjsD/VuIf8mUzjTkFiCvLgqRFhC6qcodlrBuhrAGt849OVB 2nf4dQ2PqVSw7VosZvMpf5uKPTHM5JJLpu1nGooeVusynxzHvPXY6DP/uEkj9kGP 5L+ZezABK5K4s6WrLXOvHHyx4fff7eA6ka38kWX1M5BQS0ZT42B5P72dSw1l8aiI PCb4tcGA2Or6lhm2an/k2RzL69lxgDWuQ3yEF2G9A3S8vpIwmwOiNVMW4YUXEbPW 2WRQe6cgaFJvJoWnxH6CaJ2YSgcXPtYA9CJrNddCNwRV1mv+Y2qwLbdawZcMhS5E lgceHKq3cyEEN+8VUKG2l1T7UxCYBoImxzPrKwWeMrro7DeWtkHyJDCcChQAH5JK wqjeOxT5DpzlXoW+Rs/1NgO7rJSVBPRzc/BMoXu6FWo4vWt2BS/Ad1yYp8GC02hd sAek5bQxuTcqG49pXheQzWuXFt72sOUKgY+kkBcMcarZYbla5gKAgAyG/IsOEYO4 b4iIIDV4dKr12dmBhCe0CHPwaMgMEI7QB65XpNzevR7QQ+0mklS8p8lbeL0PxwEZ gNS/YmCcBRJW3jKAUOOn =Zlex -----END PGP SIGNATURE----- --Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BF6A21D-C2C5-4E26-9DFA-4A5E2249AD1D>