Please help with blacklistd.conf

Hello,

I have enabled blacklistd(8) but the output of blacklistctl dump -ad is empty, even though there are plenty of ssh login attempts in the logs.

# ps aux | grep blacklistd
root 1251 0.0 0.0 14740 624 - Ss 12Jan17 0:13.99 /usr/sbin/blacklistd


Code:
# cat /etc/blacklistd.conf
# $FreeBSD: stable/11/etc/blacklistd.conf 301226 2016-06-02 19:06:04Z lidl $
#
# Blacklist rule
# adr/mask:port   type   proto   owner       name   nfail   disable
[local]
xn0:ssh       stream   *   *       *   3   24h
ftp       stream   *   *       *   3   24h
smtp       stream   *   *       *   3   24h
xn0:submission   stream   *   *       *   3   24h
#6161       stream   tcp6   christos   *   2   10m
*       *   *   *       *   3   60

# adr/mask:port   type   proto   owner       name   nfail   disable
[remote]
#129.168.0.0/16   *   *   *       =   *   *
#6161       =   =   =       =/24   =   =
#*       stream   tcp   *       =   =   =

# blacklistctl dump -ad
address/ma:port id nfail last access


I expected that blacklistctl(8) should return a number of IP addresses which appear in/var/log/messages as sources of login attempts.

Would you please point out what am I missing?
 
Well, looks like my /usr/src/secure/usr.sbin/sshd/Makefile is newer:

Code:
# less /usr/src/secure/usr.sbin/sshd/Makefile
# $FreeBSD: stable/11/secure/usr.sbin/sshd/Makefile 305476 2016-09-06 14:52:14Z lidl $

[...]

.if ${MK_BLACKLIST_SUPPORT} != "no"
CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
SRCS+=  blacklist.c
LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif

Does anyone have blacklistd(8) working?
 
I did have some issues with the anchor on pf.conf, something's not working as it should.

Code:
anchor "blacklistd/*" in on $ext_if
Produces errors:
Code:
# pfctl -a '*' -sr

anchor "*" in on re0 all {
pfctl: DIOCGETRULES: Invalid argument
}

Code:
anchor "blacklistd" in on $ext_if
Doesn't produce errors but stays empty:
Code:
 # pfctl -a '*' -sr
anchor "blacklistd" in on re0 all {
}

Code:
anchor "blacklistd" all {
  anchor "22" all
}
This is the only variation that actually seems to work:
Code:
anchor "blacklistd" all {
  anchor "22" all {
    block drop in quick proto tcp from <port22> to any port = ssh
  }
}

I'm sure I'm doing something wrong. Or PF isn't doing what its supposed to do.
 
Code:
anchor "blacklistd/*" in on $ext_if
pfctl -a blacklistd/21 -sr
pfctl -a blacklistd/22 -sr

etc
 
Yes, but:
Code:
             To print the main ruleset recursively, specify only `*' as the
             anchor name:

                   # pfctl -a '*' -sr

So, in my mind this would imply you always get a full ruleset and all the anchors are printed recursively. Which doesn't seem to work.
 
That has never worked for me, anywhere. Maybe an OpenBSD relic or a regression.

By the way, pfctl -a 'blacklistd/*' -sr doesn't work either.
 
By the way, pfctl -a 'blacklistd/*' -sr doesn't work either.
Indeed. But the funny thing is, if you do it like this:
Code:
anchor "blacklistd" all {
  anchor "22" all
}
Then both pfctl -a '*' -sr and pfctl -a 'blacklistd/*' -sr work as expected.
 
But some of my blacklistd configurations block 21, 22, 25, 465, and 587 in one go. That's going to be a lot of improv ;)
 
Yeah, but I'm really only using the sshd(8) one. So for me it's not that bad. But I'm wondering if this is a bug in PF though, maybe some of the rules don't link up properly or there's some other inconsistency in the way anchors are linked into the ruleset.
 
Back
Top