How to setup IPFW working with blacklistd

Cos Chan rosettas at gmail.com
Thu Nov 16 21:40:56 UTC 2017 

On Thu, Nov 16, 2017 at 3:53 PM, Ian Smith <smithi at nimnet.asn.au> wrote:

> On Wed, 15 Nov 2017 11:02:30 -0500, Kurt Lidl wrote:
>  > On 11/15/17 6:46 AM, Cos Chan wrote:
>  >
>  > > blacklistd.log:
>  > > Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22
>  > > <http://132.148.128.234/32:22> for -1 seconds
>  > > Nov 15 12:15:40 res blacklistd[22100]: rule exists OK
>  > > Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22
>  > > <http://132.148.128.234/32:22> for -1 seconds
>  >
>  > The "-1 seconds" looks fishy to me.
>  >
>  > What is the /etc/blacklistd.conf on this machine?
>
> Whether or not the first block succeeded, which if it had, should have
> precluded another one two minutes later .. just on this point:
>
> -1 here means "never remove" ie duration='*', like nfail='*' is also set
> to -1 for 'never block'.  Noticed in ..
>
> [ here /usr/head/src/contrib/blacklist/ ]
> bin/blacklistd.c: update(void)
> [..]
>                 if (c.c_duration == -1 || when >= ts.tv_sec)    <<<----
>                         continue;
>                 if (dbi.id[0]) {
>                         run_change("rem", &c, dbi.id, 0);
>                         sockaddr_snprintf(buf, sizeof(buf), "%a", ss);
>                         syslog(LOG_INFO, "released %s/%d:%d after %d
> seconds",
>                             buf, c.c_lmask, c.c_port, c.c_duration);
>                 }
>                 state_del(state, &c);
>
> One of the problems with blocklistd-helper is that return codes from it
> are mostly not checked, in some cases it's run as (void)run_change(..)
> so it's dependant on the helper script succeeding, and simply ignores
> any indicated failure - except possibly for an add operation, where it
> returns -1 if it gets a NULL response (empty string I assume) otherwise
> it returns 0 after copying the output string to the id (here always OK)
> .. but it seems nothing cares about the return code eithe rway ..
>
> A bit more about making the script more robust - and more informative
> for debugging, at least re ipfw - is slowly brewing, but I'm running out
> of spare time at the moment, and will have to quit digging this deep
> into code I'm unlikely ever to run myself :)
>
> [ Cos, do you get any different behaviour if you set duration to some
> value other than '*'?  30d should be near enough forever for testing ]
>

RIght, I can't see same "increased after ipfw blocked" issue while I change
the * to 30d.

I will check again tomorrow.


>
> cheers, Ian
>



-- 
with kind regards

More information about the freebsd-questions mailing list