From owner-freebsd-questions@freebsd.org  Wed Sep 30 17:58:43 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 061F8A0C71A
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 30 Sep 2015 17:58:43 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7391A1F35
 for <freebsd-questions@freebsd.org>; Wed, 30 Sep 2015 17:58:40 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t8UHwW4w094136;
 Thu, 1 Oct 2015 03:58:32 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Thu, 1 Oct 2015 03:58:32 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Nino J <nino80@gmail.com>
cc: Alexandre <axelbsd@ymail.com>, freebsd-questions@freebsd.org
Subject: Re: SSHguard & IPFW
In-Reply-To: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org>
Message-ID: <20151001033001.R67283@sola.nimnet.asn.au>
References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 17:58:43 -0000

In freebsd-questions Digest, Vol 591, Issue 2, Message: 14
On Wed, 30 Sep 2015 09:41:55 +0200 Nino J <nino80@gmail.com> wrote:
 > On Tue, Sep 29, 2015 at 4:24 PM, Alexandre <axelbsd@ymail.com> wrote:
 > 
 > >
 > > >> About the blocking rules reservation in IPFW (from rule 55000 to
 > > >> 55050), anyone experienced yet full use of these rules?
 > > >> By default, fifteen addresses can be blocked together. But how SSHGUARD
 > > >> works in this case for the newest one (51th)?
 > > >>
 > > >> Thank you in advance for your clarifications.
 > > >> Alexandre
 > >
 > 
 > To answer your second question, IPFW has no problem using the same rule
 > number for multiple rules. Thus sshguard is not limited to 50 addresses.
 > 
 > Also, next version of sshguard won't use IPFW rules, but rather an IPFW
 > table to insert IP addresses to be blocked. Thus it will only need a single
 > deny rule.

That's so much smarter than a fixed block of rule numbers, and you can 
put your table lookup or action rule/s whereever you want in rulesets.

Moreover, utilities could add a 32 bit value to table entries such as a 
timestamp (for later expiry) or a skipto address for classification of 
different types of detected behaviours, whatever ..

 > I'm currently using development version of sshguard which uses IPFW table
 > and it works fine for me.

I'm more paranoid and only allow addresses in a table to access sshd's 
port, with a couple of roaming users who need to check mail to update
their IP before login .. but this is great news for sshguard users.

cheers, Ian