Topics

1

19.1 Legacy Series / Port alias tables not saving or persisting (FW rules w/ port aliases dont work)

« on: February 04, 2019, 07:13:13 pm »

I have some port aliases that I use for some firewall rules. They seemed to stop working after the 19.1 upgrade, maybe right after or the next day. From what I can tell its because the port type aliases tables arent being persisted in rules.debug but I am not sure if they are supposed to be persisted.

I created a new alias, new firewall rule referencing it and still see the behavior below where port type aliases are not listed in pfTables under Firewall > Diagnostics, dont show up in pfctl and are listed in rules.debug but not persisted (which I am guessing they should be). I included a hosts type alias that does seem to be working.

The symptoms I end up seeing is that firewall rules referencing the ports alias dont work, that traffic isnt allowed and doesnt match the rule and thus gets dropped.

2

19.1 Legacy Series / Aliases API in 19.1

« on: February 02, 2019, 01:47:05 am »

I have a fail2ban script setup that will add and remove IPs from a hosts alias. It was working with 18.7.9 but post upgrade to 19.1 it seems a bit strange. It seems like alias_util is overwriting the alias with a delay.

Adding IP works but the previous IPs seem to get deleted right after. It isnt my fail2ban script, I am running these manually for the below test.

root@cerberus:/home/admin # pfctl -t BANNED -Ts
   1.0.1.4

Doing the add from another host:
curl -XPOST -d '{"address":"1.0.1.10"}' -H "Content-Type: application/json" -k -u "key":"secret" https://cerberus/api/firewall/alias_util/add/BANNED
{"status":"done"}

Table updates correctly as expected:
root@cerberus:/home/admin # pfctl -t BANNED -Ts
   1.0.1.4
   1.0.1.10

Here I did not call the reconfigure part of the API yet, but now the table reverts to only one entry (the most recent one) within 30 seconds:
root@cerberus:/home/admin # pfctl -t BANNED -Ts
   1.0.1.10

I tried host and network type aliases and its the same behavior. If I add through the UI then both entries stay. Adding a third through alias_util causes the earlier ones to be deleted.

I could be misunderstanding the API but since it worked in 18.7.9 I suspect this is a 19.1 bug?

3

19.1 Legacy Series / HAProxy - Support for GPC General Purpose Counters

« on: December 27, 2018, 10:47:58 pm »

Im not sure if this goes here or on Github but does anyone know if UI support for gpc stick tables and rules/acls is planned for the HAProxy plugin? Gpc being General Purpose Counter.

Its used most often in the abuse prevention type rules.

Some examples:

https://www.haproxy.com/blog/bot-protection-with-haproxy/
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7 (search for gpc0)

Code: [Select]

frontend http
    # Use General Purpose Couter 0 in SC0 as a global abuse counter
    # protecting all our sites
    stick-table type ip size 1m expire 5m store gpc0
    tcp-request connection track-sc0 src
    tcp-request connection reject if { sc0_get_gpc0 gt 0 }
    ...
    use_backend http_dynamic if { path_end .php }

backend http_dynamic
    # if a source makes too fast requests to this dynamic site (tracked
    # by SC1), block it globally in the frontend.
    stick-table type ip size 1m expire 5m store http_req_rate(10s)
    acl click_too_fast sc1_http_req_rate gt 10
    acl mark_as_abuser sc0_inc_gpc0(http) gt 0
    tcp-request content track-sc1 src
    tcp-request content reject if click_too_fast mark_as_abuser