From owner-freebsd-ports@freebsd.org Fri Mar 18 14:27:47 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18F20AD45EE for ; Fri, 18 Mar 2016 14:27:47 +0000 (UTC) (envelope-from petri.riihikallio@metis.fi) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 032FACF3 for ; Fri, 18 Mar 2016 14:27:47 +0000 (UTC) (envelope-from petri.riihikallio@metis.fi) Received: by mailman.ysv.freebsd.org (Postfix) id 027C0AD45ED; Fri, 18 Mar 2016 14:27:47 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02153AD45EC for ; Fri, 18 Mar 2016 14:27:47 +0000 (UTC) (envelope-from petri.riihikallio@metis.fi) Received: from hopo.metis.fi (unknown [IPv6:2001:1bc8:102:7b51::101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B32AACF2; Fri, 18 Mar 2016 14:27:46 +0000 (UTC) (envelope-from petri.riihikallio@metis.fi) Received: from dys5qhyc9mvf5gpdk8cgy-3.rev.dnainternet.fi (dys5qhyc9mvf5gpdk8cgy-3.rev.dnainternet.fi [IPv6:2001:14ba:3f2:d300:5d54:4992:b068:e08a]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hopo.metis.fi (Postfix) with ESMTPSA id B125B1720A; Fri, 18 Mar 2016 16:27:34 +0200 (EET) Subject: Re: FreeBSD Port: sshguard-1.6.3 IPFW tule missing Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Content-Type: multipart/signed; boundary="Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.6b2 From: Petri Riihikallio X-Priority: 5 In-Reply-To: <1458219850.1252125.551938618.234203BC@webmail.messagingengine.com> Date: Fri, 18 Mar 2016 16:27:32 +0200 Cc: ports@FreeBSD.org Message-Id: <7BF6A21D-C2C5-4E26-9DFA-4A5E2249AD1D@metis.fi> References: <172178A6-5745-41A8-A7D0-3D99286AA67B@metis.fi> <1458219850.1252125.551938618.234203BC@webmail.messagingengine.com> To: Mark Felder X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2016 14:27:47 -0000 --Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Thanks for reply! > I'm not aware of sshguard automatically adding the "deny ip from > table(22) to me" rule to ipfw. This would be a very difficult thing to > do reliably as a complex firewall ruleset may need this deny rule > somewhere different than the very first rule. I certainly don't have = it > as the first rule for my firewall. After the revamp of IPFW support in SSHGuard it took me a while to = figure out why it wasn=E2=80=99t guarding anything anymore and then how = to fix it. After some time I found out I had two identical rules (but = different numbers). Then it took me again a while to figure out where = the other rule was coming from, before I found it at the end of = /usr/local/etc/rc.d/sshguard. Now it isn't there anymore. Of course I could be just dreaming, because I don=E2=80=99t have any = evidence. I love my FreeBSD boxes because I can get away with so little = maintenance. Someone could argue I am neglecting them. That=E2=80=99s = why I am only fixing things afterwards, when something gets broken. My setup is working fine again. I just would like to help others who are = setting up SSHGuard for the first time. It would have saved me some = headscratching if something like 'ipfw "add 55000 deny ip from table(22) = to me=E2=80=9D=E2=80=99 would be set up as an example in the startup = script - even if it was commented out. It could also be at the = beginning, in the section "Add the following lines to /etc/rc.conf to = enable sshguard=E2=80=9D where it would also make sense. br, Petri --Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJW7BBVAAoJEKC/SGlTOTYltKEQAI+4tFl1xbtj0RNocaxrA0gR nPZTxWwDYRXbne7WU3ZM0XS1NB4fLXJNNZZ2iEB4cQ9g0qEVRhJjdGBui9TF/9c1 ct8v6+E6kz8yNwNX1TjsD/VuIf8mUzjTkFiCvLgqRFhC6qcodlrBuhrAGt849OVB 2nf4dQ2PqVSw7VosZvMpf5uKPTHM5JJLpu1nGooeVusynxzHvPXY6DP/uEkj9kGP 5L+ZezABK5K4s6WrLXOvHHyx4fff7eA6ka38kWX1M5BQS0ZT42B5P72dSw1l8aiI PCb4tcGA2Or6lhm2an/k2RzL69lxgDWuQ3yEF2G9A3S8vpIwmwOiNVMW4YUXEbPW 2WRQe6cgaFJvJoWnxH6CaJ2YSgcXPtYA9CJrNddCNwRV1mv+Y2qwLbdawZcMhS5E lgceHKq3cyEEN+8VUKG2l1T7UxCYBoImxzPrKwWeMrro7DeWtkHyJDCcChQAH5JK wqjeOxT5DpzlXoW+Rs/1NgO7rJSVBPRzc/BMoXu6FWo4vWt2BS/Ad1yYp8GC02hd sAek5bQxuTcqG49pXheQzWuXFt72sOUKgY+kkBcMcarZYbla5gKAgAyG/IsOEYO4 b4iIIDV4dKr12dmBhCe0CHPwaMgMEI7QB65XpNzevR7QQ+0mklS8p8lbeL0PxwEZ gNS/YmCcBRJW3jKAUOOn =Zlex -----END PGP SIGNATURE----- --Apple-Mail=_9F6A803C-B63A-4562-803E-7597A8FFE566--