How to setup IPFW working with blacklistd
Ian Smith
smithi at nimnet.asn.au
Tue Nov 7 06:22:39 UTC 2017
On Mon, 6 Nov 2017 22:43:02 +0100, Cos Chan wrote:
> On Mon, Nov 6, 2017 at 5:50 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
>
> > On Mon, 6 Nov 2017 16:41:41 +0100, Cos Chan wrote:
> > > On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
[ time to cut mightily .. also cc'ing blacklistd maintainer Kurt Lidl
<lidl at FreeBSD.org> for whom I'll point to the start of this thread at:
https://lists.freebsd.org/pipermail/freebsd-questions/2017-November/279598.html
]
> > > > and such. Tables really are the way to go for this sort of thing.
> > >
> > > thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is
> > good
> > > as you said but it needs ipfw-blacklist.rc for ipfw?
> > >
> > > if [ -f "/etc/ipfw-blacklist.rc" ]; then
> > > pf="ipfw"
> > > . /etc/ipfw-blacklist.rc
> > > ipfw_offset=${ipfw_offset:-2000}
> > > fi
> > >
> > > I could not find this file in /etc/
> >
> > Yes, you need to create it. It's both a "using ipfw" flag and somewhere
> > to put settings, or at least the needed 'ipfw_offset=4000' one.
> >
> > Thanks to Michael Ross for posting the link to these instructions:
> >
> > https://people.freebsd.org/~lidl/blacklistd.html
> >
> > I downloaded the tarball from there and checked it out (no 11.x systems
> > here). I expect that article has enough info to get you going.
> Thanks to Michael Ross too.
>
> I have followed the steps but seems not working, here is the ipfw list
> output:
>
> $ sudo ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from any to ::1
> 00500 deny ip from ::1 to any
> 00600 allow ipv6-icmp from :: to ff02::/16
> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> 01100 check-state :default
> 01200 allow tcp from me to any established
> 01300 allow tcp from me to any setup keep-state :default
> 01400 allow udp from me to any keep-state :default
> 01500 allow icmp from me to any keep-state :default
> 01600 allow ipv6-icmp from me to any keep-state :default
> 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
> 01800 allow udp from any 67 to me dst-port 68 in
> 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
> 02000 allow udp from fe80::/10 to me dst-port 546 in
> 02100 allow icmp from any to any icmptypes 8
> 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
> 02300 allow icmp from any to any icmptypes 3,4,11
> 02400 allow ipv6-icmp from any to any ip6 icmp6types 3
> 02500 allow tcp from any to me dst-port 22
> 02600 allow tcp from any to me dst-port 25
> 02700 allow tcp from any to me dst-port 80
> 02800 allow tcp from any to me dst-port 443
> 02900 allow tcp from any to me dst-port 21
> 65000 count ip from any to any
> 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in
> 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
> 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
> 65400 deny ip from any to 255.255.255.255
> 65500 deny ip from any to 224.0.0.0/24 in
> 65500 deny udp from any to any dst-port 520 in
> 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
> 65500 deny ip from any to any
> 65535 deny ip from any to any
>
> looks like the blacklist records are not added to ipfw.
Indeed, that looks stock standard.
> I have also tried to add -C option to rc.conf:
>
> blacklistd_enable="YES"
> blacklistd_flags="-r -C /usr/libexec/blacklistd-helper"
>
> But also not working. The ipfw list output is same as above.
As mentioned, no FreeBSD 11 system here, so I'm punting on the docs.
I suppose you will have created the flagfile?
# echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc
You could put that in /etc/rc.local to be sure it survives updates.
Clearly ipfw needs to be running before blacklistd starts, as it's using
/etc/rc.firewall, which begins by flushing all rules. You could check
that's observed on startup - as I assume it must be - with:
% rcorder /etc/rc.d/* | egrep 'ipfw|blacklist'
Secondly, once ipfw's up, you could manually start blacklistd with the
-d switch (maybe -dv) to run it in forground while it's getting going to
see what it reports. -C seems to be default, but your use of -r seems
smart as ipfw doesn't maintain tables across runs (without scripting).
You could also try uncommenting the 'set -x' in blacklistd-helper to get
a blow-by-blow list (to stderr) of its progress while doing its thing,
which should provide some solid clues.
Other than that, I'm flying blind :)
> > Also, despite no mentions in the manuals, the ipfw implementation does
> > indeed use tables, and in a sensible fashion, given it fits in with the
> > existing 'workstation' section in /etc/rc.firewall. Quite clever really.
> >
> > > the rc.conf file was modified to:
> > >
> > > blacklistd_enable="YES"
> > > blacklistd_flags="-C /usr/libexec/blacklistd-helper"
> > >
> > > and the blacklistd restarted but no luck yet.
> >
> > Let us know how it works out?
And thanks for cc'ing me on these, as I take the daily questions-digest.
cheers, Ian
More information about the freebsd-questions
mailing list