How to setup IPFW working with blacklistd

Ian Smith smithi at nimnet.asn.au
Tue Nov 7 06:22:39 UTC 2017 

On Mon, 6 Nov 2017 22:43:02 +0100, Cos Chan wrote:

 > On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
 > 
 > > On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote:
 > >  > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi at nimnet.asn.au> wrote:

[ time to cut mightily .. also cc'ing blacklistd maintainer Kurt Lidl 
<lidl at FreeBSD.org> for whom I'll point to the start of this thread at:
https://lists.freebsd.org/pipermail/freebsd-questions/2017-November/279598.html 
]

 > >  > > and such.  Tables really are the way to go for this sort of thing.
 > >  >
 > >  > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is
 > > good
 > >  > as you said but it needs ipfw-blacklist.rc for ipfw?
 > >  >
 > >  > if [ -f "/etc/ipfw-blacklist.rc" ]; then
 > >  >         pf="ipfw"
 > >  >         . /etc/ipfw-blacklist.rc
 > >  >         ipfw_offset=${ipfw_offset:-2000}
 > >  > fi
 > >  >
 > >  > I could not find this file in /etc/
 > >
 > > Yes, you need to create it.  It's both a "using ipfw" flag and somewhere
 > > to put settings, or at least the needed 'ipfw_offset=4000' one.
 > >
 > > Thanks to Michael Ross for posting the link to these instructions:
 > >
 > >  https://people.freebsd.org/~lidl/blacklistd.html
 > >
 > > I downloaded the tarball from there and checked it out (no 11.x systems
 > > here).  I expect that article has enough info to get you going.

 > Thanks to Michael Ross too.
 > 
 > I have followed the steps but seems not working, here is the ipfw list
 > output:
 > 
 > $ sudo ipfw list
 > 00100 allow ip from any to any via lo0
 > 00200 deny ip from any to 127.0.0.0/8
 > 00300 deny ip from 127.0.0.0/8 to any
 > 00400 deny ip from any to ::1
 > 00500 deny ip from ::1 to any
 > 00600 allow ipv6-icmp from :: to ff02::/16
 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
 > 01100 check-state :default
 > 01200 allow tcp from me to any established
 > 01300 allow tcp from me to any setup keep-state :default
 > 01400 allow udp from me to any keep-state :default
 > 01500 allow icmp from me to any keep-state :default
 > 01600 allow ipv6-icmp from me to any keep-state :default
 > 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
 > 01800 allow udp from any 67 to me dst-port 68 in
 > 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
 > 02000 allow udp from fe80::/10 to me dst-port 546 in
 > 02100 allow icmp from any to any icmptypes 8
 > 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
 > 02300 allow icmp from any to any icmptypes 3,4,11
 > 02400 allow ipv6-icmp from any to any ip6 icmp6types 3
 > 02500 allow tcp from any to me dst-port 22
 > 02600 allow tcp from any to me dst-port 25
 > 02700 allow tcp from any to me dst-port 80
 > 02800 allow tcp from any to me dst-port 443
 > 02900 allow tcp from any to me dst-port 21
 > 65000 count ip from any to any
 > 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in
 > 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
 > 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
 > 65400 deny ip from any to 255.255.255.255
 > 65500 deny ip from any to 224.0.0.0/24 in
 > 65500 deny udp from any to any dst-port 520 in
 > 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
 > 65500 deny ip from any to any
 > 65535 deny ip from any to any
 > 
 > looks like the blacklist records are not added to ipfw.

Indeed, that looks stock standard.

 > I have also tried to add -C option to rc.conf:
 > 
 > blacklistd_enable="YES"
 > blacklistd_flags="-r -C /usr/libexec/blacklistd-helper"
 > 
 > But also not working. The ipfw list output is same as above.

As mentioned, no FreeBSD 11 system here, so I'm punting on the docs.

I suppose you will have created the flagfile?
 # echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc
You could put that in /etc/rc.local to be sure it survives updates.

Clearly ipfw needs to be running before blacklistd starts, as it's using 
/etc/rc.firewall, which begins by flushing all rules.  You could check 
that's observed on startup - as I assume it must be - with:

 % rcorder /etc/rc.d/* | egrep 'ipfw|blacklist'

Secondly, once ipfw's up, you could manually start blacklistd with the 
-d switch (maybe -dv) to run it in forground while it's getting going to 
see what it reports.  -C seems to be default, but your use of -r seems 
smart as ipfw doesn't maintain tables across runs (without scripting).

You could also try uncommenting the 'set -x' in blacklistd-helper to get 
a blow-by-blow list (to stderr) of its progress while doing its thing, 
which should provide some solid clues.

Other than that, I'm flying blind :)

 > > Also, despite no mentions in the manuals, the ipfw implementation does
 > > indeed use tables, and in a sensible fashion, given it fits in with the
 > > existing 'workstation' section in /etc/rc.firewall. Quite clever really.
 > >
 > >  > the rc.conf file was modified to:
 > >  >
 > >  > blacklistd_enable="YES"
 > >  > blacklistd_flags="-C /usr/libexec/blacklistd-helper"
 > >  >
 > >  > and the blacklistd restarted but no luck yet.
 > >
 > > Let us know how it works out?

And thanks for cc'ing me on these, as I take the daily questions-digest.

cheers, Ian

More information about the freebsd-questions mailing list