How to setup IPFW working with blacklistd

Ian Smith smithi at nimnet.asn.au
Mon Nov 6 14:10:11 UTC 2017 

In freebsd-questions Digest, Vol 701, Issue 1, Message: 10
On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan <rosettas at gmail.com> wrote:

 > Hi All
 > 
 > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1.
 > 
 > my blacklistd is working fine to get sshd failed login attempts.
 > The out put:
 > 
 > $ sudo blacklistctl dump -b
 >         address/ma:port id      nfail   last access
 >  1.1.1.1/32:22           3/-1    2017/11/05 01:05:34
 >  2.2.2.2/32:22           3/-1    2017/11/05 13:22:53
 > 
 > but I can't find information how to use the blacklistd database in IPFW
 > from IPFW manpage
 > 
 > would anybody explain that to me?

By all means work with Carmel's offer to look at parsing the database 
output.  All I know about blacklistd(8), blacklistd.conf(5) and 
blacklistctl(8) is what I just now read skimming these manual pages.

However I was surprised to see no mention of using tables rather than 
add)ing or rem)oving individual firewall rules - and you can't use 
'flush' on individual rules in ipfw(8), only on whole sets of rules.

Amother problem with adding/removing individual rules is you need to 
allocate a large enough block of rules, then specify distinct rule 
numbers to ipfw(8).  Messy and error-prone, especially for deleting.

So you might need to replace or modify /usr/libexec/blacklistd-helper, 
which I haven't seen but assume is a script, to use its parameters to 
generate commands more like:

 /sbin/ipfw table $TABLENAME add addr[/masklen] [value]
and
 /sbin/ipfw table $OTHERNAME delete addr[/masklen]

as appropriate.  This is immensely more efficient than adding and 
deleting single rules on the fly, moreso if there are many entries.

When adding entries, the optional [value] might be a latest timestamp, 
or an expiry timestamp, or anything else you might find useful.

Of course you may need a number of different tables, for blocking ssh, 
webhosts, mailserver or other services, but then need just a few rules 
dedicated to denying (or even specifically enabling) hosts or ports to 
addr[/masklen/ entries in a particular table.

 ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup
 ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup
 ipfw add deny all from table \($REALLYNASTY\) to any in

and such.  Tables really are the way to go for this sort of thing.

cheers, Ian

More information about the freebsd-questions mailing list