From owner-freebsd-questions@freebsd.org Thu Nov 16 14:54:07 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D842DE0026 for ; Thu, 16 Nov 2017 14:54:07 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64F157D95E; Thu, 16 Nov 2017 14:54:05 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id vAGErsas022792; Fri, 17 Nov 2017 01:53:54 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 17 Nov 2017 01:53:54 +1100 (EST) From: Ian Smith To: Kurt Lidl cc: Cos Chan , freebsd-questions , Michael Ross Subject: Re: How to setup IPFW working with blacklistd In-Reply-To: Message-ID: <20171117005738.V72828@sola.nimnet.asn.au> References: <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115192830.R72828@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 14:54:07 -0000 On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote: > On 11/15/17 6:46 AM, Cos Chan wrote: > > > blacklistd.log: > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 > > for -1 seconds > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 > > for -1 seconds > > The "-1 seconds" looks fishy to me. > > What is the /etc/blacklistd.conf on this machine? Whether or not the first block succeeded, which if it had, should have precluded another one two minutes later .. just on this point: -1 here means "never remove" ie duration='*', like nfail='*' is also set to -1 for 'never block'. Noticed in .. [ here /usr/head/src/contrib/blacklist/ ] bin/blacklistd.c: update(void) [..] if (c.c_duration == -1 || when >= ts.tv_sec) <<<---- continue; if (dbi.id[0]) { run_change("rem", &c, dbi.id, 0); sockaddr_snprintf(buf, sizeof(buf), "%a", ss); syslog(LOG_INFO, "released %s/%d:%d after %d seconds", buf, c.c_lmask, c.c_port, c.c_duration); } state_del(state, &c); One of the problems with blocklistd-helper is that return codes from it are mostly not checked, in some cases it's run as (void)run_change(..) so it's dependant on the helper script succeeding, and simply ignores any indicated failure - except possibly for an add operation, where it returns -1 if it gets a NULL response (empty string I assume) otherwise it returns 0 after copying the output string to the id (here always OK) .. but it seems nothing cares about the return code eithe rway .. A bit more about making the script more robust - and more informative for debugging, at least re ipfw - is slowly brewing, but I'm running out of spare time at the moment, and will have to quit digging this deep into code I'm unlikely ever to run myself :) [ Cos, do you get any different behaviour if you set duration to some value other than '*'? 30d should be near enough forever for testing ] cheers, Ian