Date: Sat, 18 Nov 2017 23:18:15 +0100 From: Cos Chan <rosettas@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Kurt Lidl <lidl@freebsd.org>, freebsd-questions <freebsd-questions@freebsd.org>, Michael Ross <gmx@ross.cx> Subject: Re: How to setup IPFW working with blacklistd Message-ID: <CAKV%2BxLDPMtpN0GGZP1=4ZuWhox=aT6kP6t5X_F8En91c=e1rJw@mail.gmail.com> In-Reply-To: <CAKV%2BxLCYQ=8qwKf_OYvqtdkmcX-c6a1GJf7gqkEwo7dxnVF5mA@mail.gmail.com> References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <CAKV%2BxLAt4Ciqmg2w1iJK42jq6f%2BnumASKMQ=UL6dT%2BCdGYujVQ@mail.gmail.com> <CAKV%2BxLD_KE938JnmjDE=CmfZ7bOJ1CaqvWuQ%2B0jDzQNWM%2B6yLg@mail.gmail.com> <20171115192830.R72828@sola.nimnet.asn.au> <CAKV%2BxLB99A8RxyWh5vCnGweOXrCjmPw5r34-tXj=hhJkKcz1=w@mail.gmail.com> <e2fdef2f-b1d9-00e6-6ea9-0f1b8d4217ed@FreeBSD.org> <20171117005738.V72828@sola.nimnet.asn.au> <CAKV%2BxLCYQ=8qwKf_OYvqtdkmcX-c6a1GJf7gqkEwo7dxnVF5mA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 16, 2017 at 10:40 PM, Cos Chan <rosettas@gmail.com> wrote: > > > On Thu, Nov 16, 2017 at 3:53 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > >> On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote: >> > On 11/15/17 6:46 AM, Cos Chan wrote: >> > >> > > blacklistd.log: >> > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 >> > > <http://132.148.128.234/32:22>; for -1 seconds >> > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK >> > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 >> > > <http://132.148.128.234/32:22>; for -1 seconds >> > >> > The "-1 seconds" looks fishy to me. >> > >> > What is the /etc/blacklistd.conf on this machine? >> >> Whether or not the first block succeeded, which if it had, should have >> precluded another one two minutes later .. just on this point: >> >> -1 here means "never remove" ie duration='*', like nfail='*' is also set >> to -1 for 'never block'. Noticed in .. >> >> [ here /usr/head/src/contrib/blacklist/ ] >> bin/blacklistd.c: update(void) >> [..] >> if (c.c_duration == -1 || when >= ts.tv_sec) <<<---- >> continue; >> if (dbi.id[0]) { >> run_change("rem", &c, dbi.id, 0); >> sockaddr_snprintf(buf, sizeof(buf), "%a", ss); >> syslog(LOG_INFO, "released %s/%d:%d after %d >> seconds", >> buf, c.c_lmask, c.c_port, c.c_duration); >> } >> state_del(state, &c); >> >> One of the problems with blocklistd-helper is that return codes from it >> are mostly not checked, in some cases it's run as (void)run_change(..) >> so it's dependant on the helper script succeeding, and simply ignores >> any indicated failure - except possibly for an add operation, where it >> returns -1 if it gets a NULL response (empty string I assume) otherwise >> it returns 0 after copying the output string to the id (here always OK) >> .. but it seems nothing cares about the return code eithe rway .. >> >> A bit more about making the script more robust - and more informative >> for debugging, at least re ipfw - is slowly brewing, but I'm running out >> of spare time at the moment, and will have to quit digging this deep >> into code I'm unlikely ever to run myself :) >> >> [ Cos, do you get any different behaviour if you set duration to some >> value other than '*'? 30d should be near enough forever for testing ] >> > > RIght, I can't see same "increased after ipfw blocked" issue while I > change the * to 30d. > > I will check again tomorrow. > 2 days test on 30d configuration, there is no issue of increasing fail times after IPFW. So, only * option has such issue? > > >> >> cheers, Ian >> > > > > -- > with kind regards > -- with kind regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLDPMtpN0GGZP1=4ZuWhox=aT6kP6t5X_F8En91c=e1rJw>