blocking traffic with /sbin/pfctl

Started by mmetc, February 09, 2022, 04:53:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2022, 04:53:54 PM
Hello!

I am working on the CrowdSec plugin (not published yet).
The IPS component (firewall-bouncer) takes a list of IPs and fills a table with pfctl.
The list is very dynamic, and usually contains a few thousand addresses, but the
rules are simple and do not change.

All is well on vanilla FreeBSD, where packets are blocked, but not in OPNsense.

What I do

- create an anchor
    freebsd: /etc/pf.conf
    opnsense: $fw->registerAnchor('crowdsec', 'fw');

- add two tables and two rules within the anchor (this is done by the IPS at startup)
   table <crowdsec-blacklists> persist
   table <crowdsec6-blacklists> persist
   block drop in quick from <crowdsec-blacklists> to any
   block drop in quick from <crowdsec6-blacklists> to any

- run the program that adds the IPs with
      /sbin/pfctl -a crowdsec -t crowdsec-blacklists -T add 137.74.x.y


In both cases, the IP is correctly added to the table but in OPNsense, the packets keep passing.

I saw other plugins that manage rules and ban lists with an anchor, but usually for passing packets or port forwarding,
I thought the above should work in my case too.

Am I missing something in the configuration? Anything else?

Thanks
February 09, 2022, 05:18:53 PM #1
Hi there,

Did you take into account that previous state is retained and so is the matching pass rule?

It might be worth trying to flush the related states to/from the IP addresses added.


Cheers,
Franco
February 10, 2022, 03:31:29 PM #2
Yes, that was it.

A "pfctl -k" after each addition should do the job.

Thanks!
February 24, 2022, 09:46:35 AM #3
For reference. A "pfctl -k" after adding IPs does the job.

But I could not keep the anchor and had to use a table associated with an Alias.
The same code would blocks packets with an Alias table, do nothing with an anchored table.

I'm not sure why because other plugins use anchors too, but I had my fix.

thanks

April 20, 2022, 04:35:47 PM #4
I'd be willing to test the Crowdsec plugin when you're ready.
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD

Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
April 20, 2022, 04:38:20 PM #5
Was put up for review here https://github.com/opnsense/plugins/pull/2945 but can be obtained as a prebuilt manual package from Crowdsec too.


Cheers,
Franco
Print
Go Up Pages1
User actions