From owner-freebsd-questions@freebsd.org Mon Nov 6 16:50:51 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AB0CE628E4 for ; Mon, 6 Nov 2017 16:50:51 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 879DB768D9 for ; Mon, 6 Nov 2017 16:50:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id vA6Goif9020235; Tue, 7 Nov 2017 03:50:44 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 7 Nov 2017 03:50:44 +1100 (EST) From: Ian Smith To: Cos Chan cc: freebsd-questions , Carmel NY , Michael Ross Subject: Re: How to setup IPFW working with blacklistd In-Reply-To: Message-ID: <20171107033226.M9710@sola.nimnet.asn.au> References: <20171106235944.U9710@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 16:50:51 -0000 On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote: > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith wrote: > > > In freebsd-questions Digest, Vol 701, Issue 1, Message: 10 > > On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan wrote: > > > > > Hi All > > > > > > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1. > > > > > > my blacklistd is working fine to get sshd failed login attempts. > > > The out put: > > > > > > $ sudo blacklistctl dump -b > > > address/ma:port id nfail last access > > > 1.1.1.1/32:22 3/-1 2017/11/05 01:05:34 > > > 2.2.2.2/32:22 3/-1 2017/11/05 13:22:53 > > > > > > but I can't find information how to use the blacklistd database in IPFW > > > from IPFW manpage > > > > > > would anybody explain that to me? > > > > By all means work with Carmel's offer to look at parsing the database > > output. All I know about blacklistd(8), blacklistd.conf(5) and > > blacklistctl(8) is what I just now read skimming these manual pages. > > > > However I was surprised to see no mention of using tables rather than > > add)ing or rem)oving individual firewall rules - and you can't use > > 'flush' on individual rules in ipfw(8), only on whole sets of rules. > > > > Amother problem with adding/removing individual rules is you need to > > allocate a large enough block of rules, then specify distinct rule > > numbers to ipfw(8). Messy and error-prone, especially for deleting. > > > > So you might need to replace or modify /usr/libexec/blacklistd-helper, > > which I haven't seen but assume is a script, to use its parameters to > > generate commands more like: > > > > /sbin/ipfw table $TABLENAME add addr[/masklen] [value] > > and > > /sbin/ipfw table $OTHERNAME delete addr[/masklen] > > > > as appropriate. This is immensely more efficient than adding and > > deleting single rules on the fly, moreso if there are many entries. > > > > When adding entries, the optional [value] might be a latest timestamp, > > or an expiry timestamp, or anything else you might find useful. > > > > Of course you may need a number of different tables, for blocking ssh, > > webhosts, mailserver or other services, but then need just a few rules > > dedicated to denying (or even specifically enabling) hosts or ports to > > addr[/masklen/ entries in a particular table. > > > > ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup > > ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup > > ipfw add deny all from table \($REALLYNASTY\) to any in > > > > and such. Tables really are the way to go for this sort of thing. > > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is good > as you said but it needs ipfw-blacklist.rc for ipfw? > > if [ -f "/etc/ipfw-blacklist.rc" ]; then > pf="ipfw" > . /etc/ipfw-blacklist.rc > ipfw_offset=${ipfw_offset:-2000} > fi > > I could not find this file in /etc/ Yes, you need to create it. It's both a "using ipfw" flag and somewhere to put settings, or at least the needed 'ipfw_offset=4000' one. Thanks to Michael Ross for posting the link to these instructions: https://people.freebsd.org/~lidl/blacklistd.html I downloaded the tarball from there and checked it out (no 11.x systems here). I expect that article has enough info to get you going. Also, despite no mentions in the manuals, the ipfw implementation does indeed use tables, and in a sensible fashion, given it fits in with the existing 'workstation' section in /etc/rc.firewall. Quite clever really. > the rc.conf file was modified to: > > blacklistd_enable="YES" > blacklistd_flags="-C /usr/libexec/blacklistd-helper" > > and the blacklistd restarted but no luck yet. Let us know how it works out? cheers, Ian