How to setup IPFW working with blacklistd

Ian Smith smithi at nimnet.asn.au
Thu Nov 16 14:54:07 UTC 2017 

On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote:
 > On 11/15/17 6:46 AM, Cos Chan wrote:
 > 
 > > blacklistd.log:
 > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22
 > > <http://132.148.128.234/32:22> for -1 seconds
 > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK
 > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22
 > > <http://132.148.128.234/32:22> for -1 seconds
 > 
 > The "-1 seconds" looks fishy to me.
 > 
 > What is the /etc/blacklistd.conf on this machine?

Whether or not the first block succeeded, which if it had, should have 
precluded another one two minutes later .. just on this point:

-1 here means "never remove" ie duration='*', like nfail='*' is also set 
to -1 for 'never block'.  Noticed in ..

[ here /usr/head/src/contrib/blacklist/ ]
bin/blacklistd.c: update(void)
[..]
                if (c.c_duration == -1 || when >= ts.tv_sec)	<<<----
                        continue;
                if (dbi.id[0]) {
                        run_change("rem", &c, dbi.id, 0);
                        sockaddr_snprintf(buf, sizeof(buf), "%a", ss);
                        syslog(LOG_INFO, "released %s/%d:%d after %d seconds",
                            buf, c.c_lmask, c.c_port, c.c_duration);
                }
                state_del(state, &c);

One of the problems with blocklistd-helper is that return codes from it 
are mostly not checked, in some cases it's run as (void)run_change(..) 
so it's dependant on the helper script succeeding, and simply ignores
any indicated failure - except possibly for an add operation, where it 
returns -1 if it gets a NULL response (empty string I assume) otherwise 
it returns 0 after copying the output string to the id (here always OK) 
.. but it seems nothing cares about the return code eithe rway ..

A bit more about making the script more robust - and more informative 
for debugging, at least re ipfw - is slowly brewing, but I'm running out 
of spare time at the moment, and will have to quit digging this deep 
into code I'm unlikely ever to run myself :)

[ Cos, do you get any different behaviour if you set duration to some 
value other than '*'?  30d should be near enough forever for testing ]

cheers, Ian

More information about the freebsd-questions mailing list