Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
blocking traffic with /sbin/pfctl
« previous
next »
Print
Pages: [
1
]
Author
Topic: blocking traffic with /sbin/pfctl (Read 5456 times)
mmetc
Newbie
Posts: 45
Karma: 5
blocking traffic with /sbin/pfctl
«
on:
February 09, 2022, 04:53:54 pm »
Hello!
I am working on the CrowdSec plugin (not published yet).
The IPS component (firewall-bouncer) takes a list of IPs and fills a table with pfctl.
The list is very dynamic, and usually contains a few thousand addresses, but the
rules are simple and do not change.
All is well on vanilla FreeBSD, where packets are blocked, but not in OPNsense.
What I do
- create an anchor
freebsd: /etc/pf.conf
opnsense: $fw->registerAnchor('crowdsec', 'fw');
- add two tables and two rules within the anchor (this is done by the IPS at startup)
table <crowdsec-blacklists> persist
table <crowdsec6-blacklists> persist
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
- run the program that adds the IPs with
/sbin/pfctl -a crowdsec -t crowdsec-blacklists -T add 137.74.x.y
In both cases, the IP is correctly added to the table but in OPNsense, the packets keep passing.
I saw other plugins that manage rules and ban lists with an anchor, but usually for passing packets or port forwarding,
I thought the above should work in my case too.
Am I missing something in the configuration? Anything else?
Thanks
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: blocking traffic with /sbin/pfctl
«
Reply #1 on:
February 09, 2022, 05:18:53 pm »
Hi there,
Did you take into account that previous state is retained and so is the matching pass rule?
It might be worth trying to flush the related states to/from the IP addresses added.
Cheers,
Franco
Logged
mmetc
Newbie
Posts: 45
Karma: 5
Re: blocking traffic with /sbin/pfctl
«
Reply #2 on:
February 10, 2022, 03:31:29 pm »
Yes, that was it.
A "pfctl -k" after each addition should do the job.
Thanks!
Logged
mmetc
Newbie
Posts: 45
Karma: 5
Re: blocking traffic with /sbin/pfctl
«
Reply #3 on:
February 24, 2022, 09:46:35 am »
For reference. A "pfctl -k" after adding IPs does the job.
But I could not keep the anchor and had to use a table associated with an Alias.
The same code would blocks packets with an Alias table, do nothing with an anchored table.
I'm not sure why because other plugins use anchors too, but I had my fix.
thanks
Logged
va176thunderbolt
Newbie
Posts: 49
Karma: 4
Nothing is more permanent than a temp solution
Re: blocking traffic with /sbin/pfctl
«
Reply #4 on:
April 20, 2022, 04:35:47 pm »
I'd be willing to test the Crowdsec plugin when you're ready.
Logged
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD
Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: blocking traffic with /sbin/pfctl
«
Reply #5 on:
April 20, 2022, 04:38:20 pm »
Was put up for review here
https://github.com/opnsense/plugins/pull/2945
but can be obtained as a prebuilt manual package from Crowdsec too.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
blocking traffic with /sbin/pfctl
