OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: gjdoornink on October 12, 2023, 12:07:36 am
-
Hello,
I am running OPNsense 23.7.6 on a Protectli box.
I installed os-crowdsec 1.0.7.
The corresponding installed packages are:
crowdsec 1.5.4
crowdsec-firewall-bouncer 0.0.28
os-crowdsec 1.0.7
The crowdsec plugin is running, but crowdsec-firewall-bouncer won't start.
/var/log/crowdsec/crowdsec-firewall-bouncer.log contains the following log lines:
time="11-10-2023 23:42:00" level=warning msg="unexpected ${BACKEND} mode"
time="11-10-2023 23:42:00" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"
time="11-10-2023 23:42:00" level=info msg="backend type : ${BACKEND}"
time="11-10-2023 23:42:00" level=fatal msg="firewall '${BACKEND}' is not supported"
/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml is as follows:
api_key: XXXXXXXXXXXXXXXXXXXXXX # cs-firewall-bouncer-XXXXXXXXXX
api_url: http://127.0.0.1:8080/
blacklists_ipv4: crowdsec_blacklists
blacklists_ipv6: crowdsec6_blacklists
deny_action: DROP
deny_log: false
disable_ipv6: false
insecure_skip_verify: false
ipset_type: nethash
iptables_chains:
- INPUT
log_compression: true
log_dir: /var/log/crowdsec
log_level: info
log_max_age: 30
log_max_backups: 3
log_max_size: 100
log_mode: file
mode: ${BACKEND}
nftables:
ipv4:
chain: crowdsec-chain
enabled: true
priority: -10
set-only: false
table: crowdsec
ipv6:
chain: crowdsec6-chain
enabled: true
priority: -10
set-only: false
table: crowdsec6
nftables_hooks:
- input
- forward
pf:
anchor_name: ''
prometheus:
enabled: false
listen_addr: 127.0.0.1
listen_port: 60601
retry_initial_connect: true
supported_decisions_types:
- ban
update_frequency: 10s
I have masked the api key in this post.
In the configuration file they appear to be properly set.
I have not changed the default plugin settings except for enabling the following options:
Enable log for rules
Verbose log for firewall bouncer
I have searched the OPNsense forum and the internet and only found a crowdsec discourse post (https://discourse.crowdsec.net/t/crowdsec-firewall-bouncer-doest-start-backend-is-not-supported/1258) mentioning that mode should be set to one of the following: iptables, nftables , ipset or pf
I could not find any indication in the documentation that I would have to change the mode setting manually.
Am I missing something?
-
you're right, mode for OPN should be pf. Mine is and I don't remember having changed it either but my version is 1.0.6 of os-crowdsec, on OPN 23.1.
Maybe the update to yours created a variable BACKEND and is not populating the value correctly. I would go to them to report it if I were you.
-
@cookiemonster
Thanks, manually changing mode to pf did the trick.
Someone beat me to it and just created an issue for this problem at https://github.com/opnsense/plugins/issues/3622 (https://github.com/opnsense/plugins/issues/3622).
-
You know, it rings a bell now. I think this was a fixed problem that has regressed. I migh have set just like you to pf some while back.
-
Same issued here - fresh install on two new 23.7.6 firewalls
/var/log/crowdsec/crowdsec-firewall-bouncer.log:
time="17-10-2023 16:07:54" level=warning msg="unexpected ${BACKEND} mode"
time="17-10-2023 16:07:54" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"
-
Planning to hotfix this tomorrow. Today is no time due to business release procedure.
Cheers,
Franco
-
@franco
Thanks for the fix.
It is much appreciated.
-
Pushed the hotfix now.
Cheers,
Franco