From owner-freebsd-questions@freebsd.org Thu Nov 16 21:40:56 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EA08DEA3F4 for ; Thu, 16 Nov 2017 21:40:56 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E0C6B6BA68; Thu, 16 Nov 2017 21:40:55 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wr0-x229.google.com with SMTP id 4so419394wrt.0; Thu, 16 Nov 2017 13:40:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6ebk0BIDRq4ps6ZDBldEQD9Iyx0jOSNrGiUasX5fdTk=; b=jcVXi99SZvk+4CiKdSnIRCl4QQ/VD7ObUFSkB+ZNsUMZKfmOLrHY0KUoWNH88/qzcE Yh5UtrFmZpGyySmQuHUk6Kv7PFyXh/hoLjz6FteM02WwAdl08liD77FD+gzZBEbzTQj4 bT1qW1P4fD6vvB3U5OMDnRyATy7AUzEQHbYCQr5N+JZzlXEZo05V+5QEFY4bPRmnlDx6 FkmkxH3/lozZkhpeFRhV+fvPOVp2pKsd+FGLP3Zl1f588PUq5DzVqKpwOoYuR84fqz2z TJxk45Qea0cvr6J6yMXFpLE1gF5DAKvrSWc8dz+2kF7Fj8HI8/ae7t/25H0fAZx6+V8c c7jQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6ebk0BIDRq4ps6ZDBldEQD9Iyx0jOSNrGiUasX5fdTk=; b=hUdyqRpr0hMvH6kOwY2nKKF1hchriDd4aaMCXGVTvBkGdTpqbmYH2ZvKcb9tPIOauX ALQlgMzhgPasvyZaFk3LMavojqLuRXoIcH2jfE4jD+lwCB51rynIP9bZFolLfkjrZSYA TwcXQ0UKDJA+/BOBQi5HluHK6e85TcCAKN5rdpzOS+O+kKU+WNoPxqz7dQ3FUaPD5w0T W+tBsggdJ43GT/53UtdcoVby9g9vzAZ/244sIQ0AP4kQ/1fw9+iWTGmQDhQWUWVJRc7x HbTqH8EQTPrGLR2u8a7PX/98A2shcd2rKmcbIlefmRiZyyLT5YAcNZLRTBMZrLIytAFd LIhQ== X-Gm-Message-State: AJaThX4QOUWupjb1fa2S6UdCQU/VMDtlC/p6XAYa7tVNk/KEkIKoYKqn EFpytlDqPXVtNby7PyZo8yf3SiOOFuXHclGiXfVtvg== X-Google-Smtp-Source: AGs4zMbaHfzzguVI6+hsAB+UINuRaQzHLe5LfiYtNX2ZA5Uf6IV112fB6TfyHNEWa0pLGYaO+W2nJdEWefLNbZhgSe0= X-Received: by 10.223.157.207 with SMTP id q15mr2461441wre.223.1510868454507; Thu, 16 Nov 2017 13:40:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.125.8 with HTTP; Thu, 16 Nov 2017 13:40:53 -0800 (PST) In-Reply-To: <20171117005738.V72828@sola.nimnet.asn.au> References: <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115192830.R72828@sola.nimnet.asn.au> <20171117005738.V72828@sola.nimnet.asn.au> From: Cos Chan Date: Thu, 16 Nov 2017 22:40:53 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: Kurt Lidl , freebsd-questions , Michael Ross Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 21:40:56 -0000 On Thu, Nov 16, 2017 at 3:53 PM, Ian Smith wrote: > On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote: > > On 11/15/17 6:46 AM, Cos Chan wrote: > > > > > blacklistd.log: > > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 > > > for -1 seconds > > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK > > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 > > > for -1 seconds > > > > The "-1 seconds" looks fishy to me. > > > > What is the /etc/blacklistd.conf on this machine? > > Whether or not the first block succeeded, which if it had, should have > precluded another one two minutes later .. just on this point: > > -1 here means "never remove" ie duration='*', like nfail='*' is also set > to -1 for 'never block'. Noticed in .. > > [ here /usr/head/src/contrib/blacklist/ ] > bin/blacklistd.c: update(void) > [..] > if (c.c_duration == -1 || when >= ts.tv_sec) <<<---- > continue; > if (dbi.id[0]) { > run_change("rem", &c, dbi.id, 0); > sockaddr_snprintf(buf, sizeof(buf), "%a", ss); > syslog(LOG_INFO, "released %s/%d:%d after %d > seconds", > buf, c.c_lmask, c.c_port, c.c_duration); > } > state_del(state, &c); > > One of the problems with blocklistd-helper is that return codes from it > are mostly not checked, in some cases it's run as (void)run_change(..) > so it's dependant on the helper script succeeding, and simply ignores > any indicated failure - except possibly for an add operation, where it > returns -1 if it gets a NULL response (empty string I assume) otherwise > it returns 0 after copying the output string to the id (here always OK) > .. but it seems nothing cares about the return code eithe rway .. > > A bit more about making the script more robust - and more informative > for debugging, at least re ipfw - is slowly brewing, but I'm running out > of spare time at the moment, and will have to quit digging this deep > into code I'm unlikely ever to run myself :) > > [ Cos, do you get any different behaviour if you set duration to some > value other than '*'? 30d should be near enough forever for testing ] > RIght, I can't see same "increased after ipfw blocked" issue while I change the * to 30d. I will check again tomorrow. > > cheers, Ian > -- with kind regards