How to setup IPFW working with blacklistd

Cos Chan rosettas at gmail.com
Mon Nov 6 21:43:06 UTC 2017 

On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith <smithi at nimnet.asn.au> wrote:

> On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote:
>  > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
>  >
>  > > In freebsd-questions Digest, Vol 701, Issue 1, Message: 10
>  > > On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan <rosettas at gmail.com>
> wrote:
>  > >
>  > >  > Hi All
>  > >  >
>  > >  > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1.
>  > >  >
>  > >  > my blacklistd is working fine to get sshd failed login attempts.
>  > >  > The out put:
>  > >  >
>  > >  > $ sudo blacklistctl dump -b
>  > >  >         address/ma:port id      nfail   last access
>  > >  >  1.1.1.1/32:22           3/-1    2017/11/05 01:05:34
>  > >  >  2.2.2.2/32:22           3/-1    2017/11/05 13:22:53
>  > >  >
>  > >  > but I can't find information how to use the blacklistd database in
> IPFW
>  > >  > from IPFW manpage
>  > >  >
>  > >  > would anybody explain that to me?
>  > >
>  > > By all means work with Carmel's offer to look at parsing the database
>  > > output.  All I know about blacklistd(8), blacklistd.conf(5) and
>  > > blacklistctl(8) is what I just now read skimming these manual pages.
>  > >
>  > > However I was surprised to see no mention of using tables rather than
>  > > add)ing or rem)oving individual firewall rules - and you can't use
>  > > 'flush' on individual rules in ipfw(8), only on whole sets of rules.
>  > >
>  > > Amother problem with adding/removing individual rules is you need to
>  > > allocate a large enough block of rules, then specify distinct rule
>  > > numbers to ipfw(8).  Messy and error-prone, especially for deleting.
>  > >
>  > > So you might need to replace or modify /usr/libexec/blacklistd-
> helper,
>  > > which I haven't seen but assume is a script, to use its parameters to
>  > > generate commands more like:
>  > >
>  > >  /sbin/ipfw table $TABLENAME add addr[/masklen] [value]
>  > > and
>  > >  /sbin/ipfw table $OTHERNAME delete addr[/masklen]
>  > >
>  > > as appropriate.  This is immensely more efficient than adding and
>  > > deleting single rules on the fly, moreso if there are many entries.
>  > >
>  > > When adding entries, the optional [value] might be a latest timestamp,
>  > > or an expiry timestamp, or anything else you might find useful.
>  > >
>  > > Of course you may need a number of different tables, for blocking ssh,
>  > > webhosts, mailserver or other services, but then need just a few rules
>  > > dedicated to denying (or even specifically enabling) hosts or ports to
>  > > addr[/masklen/ entries in a particular table.
>  > >
>  > >  ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup
>  > >  ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup
>  > >  ipfw add deny all from table \($REALLYNASTY\) to any in
>  > >
>  > > and such.  Tables really are the way to go for this sort of thing.
>  >
>  > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is
> good
>  > as you said but it needs ipfw-blacklist.rc for ipfw?
>  >
>  > if [ -f "/etc/ipfw-blacklist.rc" ]; then
>  >         pf="ipfw"
>  >         . /etc/ipfw-blacklist.rc
>  >         ipfw_offset=${ipfw_offset:-2000}
>  > fi
>  >
>  > I could not find this file in /etc/
>
> Yes, you need to create it.  It's both a "using ipfw" flag and somewhere
> to put settings, or at least the needed 'ipfw_offset=4000' one.
>
> Thanks to Michael Ross for posting the link to these instructions:
>
>  https://people.freebsd.org/~lidl/blacklistd.html
>
> I downloaded the tarball from there and checked it out (no 11.x systems
> here).  I expect that article has enough info to get you going.
>

Thanks to Michael Ross too.

I have followed the steps but seems not working, here is the ipfw list
output:

$ sudo ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01800 allow udp from any 67 to me dst-port 68 in
01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
02000 allow udp from fe80::/10 to me dst-port 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 allow tcp from any to me dst-port 22
02600 allow tcp from any to me dst-port 25
02700 allow tcp from any to me dst-port 80
02800 allow tcp from any to me dst-port 443
02900 allow tcp from any to me dst-port 21
65000 count ip from any to any
65100 deny { tcp or udp } from any to any dst-port 135-139,445 in
65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny ip from any to any
65535 deny ip from any to any

looks like the blacklist records are not added to ipfw.

I have also tried to add -C option to rc.conf:

blacklistd_enable="YES"
blacklistd_flags="-r -C /usr/libexec/blacklistd-helper"

But also not working. The ipfw list output is same as above.


>
> Also, despite no mentions in the manuals, the ipfw implementation does
> indeed use tables, and in a sensible fashion, given it fits in with the
> existing 'workstation' section in /etc/rc.firewall. Quite clever really.
>
>  > the rc.conf file was modified to:
>  >
>  > blacklistd_enable="YES"
>  > blacklistd_flags="-C /usr/libexec/blacklistd-helper"
>  >
>  > and the blacklistd restarted but no luck yet.
>
> Let us know how it works out?
>
> cheers, Ian
>



-- 
with kind regards

More information about the freebsd-questions mailing list