Hello!
I am working on the CrowdSec plugin (not published yet).
The IPS component (firewall-bouncer) takes a list of IPs and fills a table with pfctl.
The list is very dynamic, and usually contains a few thousand addresses, but the
rules are simple and do not change.
All is well on vanilla FreeBSD, where packets are blocked, but not in OPNsense.
What I do
- create an anchor
freebsd: /etc/pf.conf
opnsense: $fw->registerAnchor('crowdsec', 'fw');
- add two tables and two rules within the anchor (this is done by the IPS at startup)
table <crowdsec-blacklists> persist
table <crowdsec6-blacklists> persist
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
- run the program that adds the IPs with
/sbin/pfctl -a crowdsec -t crowdsec-blacklists -T add 137.74.x.y
In both cases, the IP is correctly added to the table but in OPNsense, the packets keep passing.
I saw other plugins that manage rules and ban lists with an anchor, but usually for passing packets or port forwarding,
I thought the above should work in my case too.
Am I missing something in the configuration? Anything else?
Thanks
Hi there,
Did you take into account that previous state is retained and so is the matching pass rule?
It might be worth trying to flush the related states to/from the IP addresses added.
Cheers,
Franco
Yes, that was it.
A "pfctl -k" after each addition should do the job.
Thanks!
For reference. A "pfctl -k" after adding IPs does the job.
But I could not keep the anchor and had to use a table associated with an Alias.
The same code would blocks packets with an Alias table, do nothing with an anchored table.
I'm not sure why because other plugins use anchors too, but I had my fix.
thanks
I'd be willing to test the Crowdsec plugin when you're ready.
Was put up for review here https://github.com/opnsense/plugins/pull/2945 but can be obtained as a prebuilt manual package from Crowdsec too.
Cheers,
Franco