Solved persistent table

C

captcurrent

I have SSHguard install on my FreeBSD server. With exception of ignoring its whitelist and blocking my home IP it has been a great aid

I am trying to build a IPFW table where I can list my home IPs to keep access when SSGuard blocks me

The order I am doing this ia

Code: 
$IPF 10 allow all from any to any via lo0
$IPF 11 deny log ip from "table(10)" to any
$IPF 15 allow  ip from "table(1)" to any
$IPF 16 allow tcp from any to any 9000 in setup keep-state
$IPF 17 allow tcp from any to any 9000 out setup keep-state
$IPF 18 deny log  ip  from "table(22)" to any keep-state

$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

"table(1)". is my personal white list. I was trying work out a way to make this table persistent. the the IPFW documentation it would have appear that IPFW table(1) lock would accomplish this but I am guessing not in system reboot. Am I getting too fancy trying to use a table?
 
Move the allow rule above your SSHGuard blocking rule. That way it will always be allowed and can never get blocked by SSHGuard. In the order you now have you can still get blocked by SSHGuard because that rule gets hit first.

Whitelisting in SSHGuard itself should work though.
 
SirDice.. it should but it doesn't I have contacted their mailing list. The issue I have with this approach is that it appears my tables are being zeroed out on reboots even with lock
 
With PF that's certainly always the case. Persistent tables means their contents are kept when you reload the ruleset, not that they're saved to disk. They are persistent in memory only.

The whitelist from SSHGuard is simply loaded when the service is started. Offending IP addresses are checked internally and when they're not on the whitelist they are added to the table.
 
Ahh that was becoming apparent.. so a rule would be a better approach then table.. Thanks. I know I am a stick on the mud with IPFW. but i
 
I suck at IPFW but you should be able to create a file with your whitelisted IP addresses (or ranges) and load it as a table. This file is read when the firewall is loaded (or reloaded). It does not save the contents of the table back to the file though.
 
The tables are not existing at boot. All that ipfw does happens in memory only.
At boot, You need to have something like this (called from the ipfw startup script), where You add whatever IP addresses You want in the table initially (in Your case it would be "table 1"):

Code: 
/usr/sbin/ipfw table baseifs create type addr
/usr/sbin/ipfw table baseifs flush
/usr/sbin/ipfw table baseifs add 127.0.0.0/8 0
/usr/sbin/ipfw table baseifs add ...

Tables are useful for
1) large amounts of addresses
2) addresses that may dynamically change, because the table content can be changed at any time without changing any rules.
 
SirDice said:
I suck at IPFW but you should be able to create a file with your whitelisted IP addresses (or ranges) and load it as a table. This file is read when the firewall is loaded (or reloaded). It does not save the contents of the table back to the file though.
Click to expand...
I suck moderately at scripting... too many lanuguages. to old of a mind

The tables are not existing at boot. All that ipfw does happens in memory only.
At boot, You need to have something like this (called from the ipfw startup script.
Click to expand...

ahhh the holy grail. !!
 
You must log in or register to reply here.
Back
Top