12.2 release, blacklistd with ipfw gives error

Kris von Mach mach at swishmail.com
Mon Nov 2 09:52:31 UTC 2020


Hello,

I've upgraded a working blacklistd with ipfw server from 12.1 to 12.2 
and now it gives the following error:

blacklistd[51583]: getnum: /etc/blacklistd.conf, 22: Bad number for 
service []

My config:

rc.conf:
blacklistd_enable="YES"                                         # 
activates blacklistd
sshd_flags="-o UseBlackList=yes"        # instruct sshd to report to 
blacklistd
firewall_enable="YES"
firewall_type="OPEN"
blacklistd_flags="-f"

/etc/ipfw-blacklist.rc exists:
-rw-r--r--  1 root  wheel  0 Nov  4  2018 /etc/ipfw-blacklist.rc

blacklistd.conf:
# $FreeBSD: releng/12.2/usr.sbin/blacklistd/blacklistd.conf 336977 
2018-07-31 16:39:38Z brd $
#
# Blacklist rule
# adr/mask:port type    proto   owner           name    nfail disable
[local]
ssh             stream  *       *               *       3       24h
ftp             stream  *       *               *       3       24h
smtp            stream  *       *               *       3       24h
submission      stream  *       *               *       3       24h
#6161           stream  tcp6    christos        *       2       10m
*               *       *       *               *       3       60

# adr/mask:port type    proto   owner           name    nfail disable
[remote]
#129.168.0.0/16 *       *       *               =       *       *
#6161           =       =       =               =/24    =       =
#*              stream  tcp     *               =       =       =


services are running:
root     37234    0.0  0.0    19600    8224  -  Is   04:41 0:00.00 
/usr/sbin/sshd -o UseBlackList=yes
root     52033    0.0  0.0    11740    2840  -  Ss   04:41 0:00.00 
/usr/sbin/blacklistd -f

ipfw list
00001 deny ip from table(1) to me
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

table port22 isn't created

Is this a bug or am I missing some change in the config?



More information about the freebsd-stable mailing list