Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - mmetc

Pages1
#1
Development and Code Review / Removing Alias, deinstall hook?
February 24, 2022, 09:43:11 AM
Hello!

In my crowdsec plugin, still unpublished, I create my stuff in plugins.inc.d/crowdsec.inc, then I call "configctl filter reload" at the time of installation. Not sure it's the best way, but it seems to work as I want.

My question is: can I remove the Alias objects when my plugin is uninstalled? I see some 
+POST_DEINSTALL.post
scripts but should I call my php code from there? It's fine if the Alias is removed and recreated when the plugin is upgraded.

Is there a plugin that does a similar clean up?

Thanks


[...]
function add_alias_if_not_exist($name, $description, $proto) {
    $model = new OPNsense\Firewall\Alias();
    foreach ($model->aliases->alias->iterateItems() as $alias) {
        if ((string)$alias->name == $name) {
            return;
        }
    }

    $new_alias = $model->aliases->alias->Add();
    $new_alias->name = $name;
    $new_alias->description = $description;
    $new_alias->proto = $proto;
    $new_alias->type = 'external';
    $model->serializeToConfig();
    Config::getInstance()->save();
}

function crowdsec_firewall(\OPNsense\Firewall\Plugin $fw)
{
    if (!bouncer_enabled()) {
        return;
    }

    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');

    $fw->registerFilterRule(
        1, /* priority */
        array(
            'ipprotocol'     => 'inet',
            'descr'          => 'CrowdSec (IPv4)',
            'from'           => '$crowdsec_blacklists',     # $ to reference an alias
            'type'           => 'block',
            'quick'          => true
        ),
        null
    );

    add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');

    $fw->registerFilterRule(
        1, /* priority */
        array(
            'ipprotocol'     => 'inet6',
            'descr'          => 'CrowdSec (IPv6)',
            'from'           => '$crowdsec6_blacklists',    # $ to reference an alias
            'type'           => 'block',
            'quick'          => true
        ),
        null
    );
}
[...]

#2
Development and Code Review / blocking traffic with /sbin/pfctl
February 09, 2022, 04:53:54 PM
Hello!

I am working on the CrowdSec plugin (not published yet).
The IPS component (firewall-bouncer) takes a list of IPs and fills a table with pfctl.
The list is very dynamic, and usually contains a few thousand addresses, but the
rules are simple and do not change.

All is well on vanilla FreeBSD, where packets are blocked, but not in OPNsense.

What I do

- create an anchor
    freebsd: /etc/pf.conf
    opnsense: $fw->registerAnchor('crowdsec', 'fw');

- add two tables and two rules within the anchor (this is done by the IPS at startup)
   table <crowdsec-blacklists> persist
   table <crowdsec6-blacklists> persist
   block drop in quick from <crowdsec-blacklists> to any
   block drop in quick from <crowdsec6-blacklists> to any

- run the program that adds the IPs with
      /sbin/pfctl -a crowdsec -t crowdsec-blacklists -T add 137.74.x.y


In both cases, the IP is correctly added to the table but in OPNsense, the packets keep passing.

I saw other plugins that manage rules and ban lists with an anchor, but usually for passing packets or port forwarding,
I thought the above should work in my case too.

Am I missing something in the configuration? Anything else?

Thanks
Pages1