crowdsec firewall bouncer does not start

Started by gjdoornink, October 12, 2023, 12:07:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2023, 12:07:36 AM
Hello,

I am running OPNsense 23.7.6 on a Protectli box.
I installed os-crowdsec 1.0.7.
The corresponding installed packages are:
   crowdsec   1.5.4
   crowdsec-firewall-bouncer   0.0.28
   os-crowdsec   1.0.7

The crowdsec plugin is running, but crowdsec-firewall-bouncer won't start.

/var/log/crowdsec/crowdsec-firewall-bouncer.log contains the following log lines:
Code Select

time="11-10-2023 23:42:00" level=warning msg="unexpected ${BACKEND} mode"
time="11-10-2023 23:42:00" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"
time="11-10-2023 23:42:00" level=info msg="backend type : ${BACKEND}"
time="11-10-2023 23:42:00" level=fatal msg="firewall '${BACKEND}' is not supported"


/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml is as follows:

Code Select

api_key: XXXXXXXXXXXXXXXXXXXXXX     # cs-firewall-bouncer-XXXXXXXXXX
api_url: http://127.0.0.1:8080/
blacklists_ipv4: crowdsec_blacklists
blacklists_ipv6: crowdsec6_blacklists
deny_action: DROP
deny_log: false
disable_ipv6: false
insecure_skip_verify: false
ipset_type: nethash
iptables_chains:
- INPUT
log_compression: true
log_dir: /var/log/crowdsec
log_level: info
log_max_age: 30
log_max_backups: 3
log_max_size: 100
log_mode: file
mode: ${BACKEND}
nftables:
  ipv4:
    chain: crowdsec-chain
    enabled: true
    priority: -10
    set-only: false
    table: crowdsec
  ipv6:
    chain: crowdsec6-chain
    enabled: true
    priority: -10
    set-only: false
    table: crowdsec6
nftables_hooks:
- input
- forward
pf:
  anchor_name: ''
prometheus:
  enabled: false
  listen_addr: 127.0.0.1
  listen_port: 60601
retry_initial_connect: true
supported_decisions_types:
- ban
update_frequency: 10s


I have masked the api key in this post.
In the configuration file they appear to be properly set.

I have not changed the default plugin settings except for enabling the following options:
   Enable log for rules
   Verbose log for firewall bouncer

I have searched the OPNsense forum and the internet and only found a crowdsec discourse post (https://discourse.crowdsec.net/t/crowdsec-firewall-bouncer-doest-start-backend-is-not-supported/1258) mentioning that mode should be set to one of the following: iptables, nftables , ipset or pf

I could not find any indication in the documentation that I would have to change the mode setting manually.

Am I missing something?
October 12, 2023, 11:32:27 AM #1
you're right, mode for OPN should be pf. Mine is and I don't remember having changed it either but my version is 1.0.6 of os-crowdsec, on OPN 23.1.
Maybe the update to yours created a variable BACKEND and is not populating the value correctly. I would go to them to report it if I were you.
October 13, 2023, 05:30:06 PM #2
@cookiemonster

Thanks, manually changing mode to pf did the trick.

Someone beat me to it and just created an issue for this problem at https://github.com/opnsense/plugins/issues/3622.
October 13, 2023, 06:00:45 PM #3
You know, it rings a bell now. I think this was a fixed problem that has regressed. I migh have set just like you to pf some while back.
October 17, 2023, 06:04:04 AM #4
Same issued here - fresh install on two new 23.7.6 firewalls

/var/log/crowdsec/crowdsec-firewall-bouncer.log:

Code Select
time="17-10-2023 16:07:54" level=warning msg="unexpected ${BACKEND} mode"
time="17-10-2023 16:07:54" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-freebsd-af6e7e2"
October 17, 2023, 10:52:08 AM #5
Planning to hotfix this tomorrow. Today is no time due to business release procedure.


Cheers,
Franco
October 17, 2023, 09:14:49 PM #6
@franco

Thanks for the fix.
It is much appreciated.
October 18, 2023, 10:20:22 AM #7
Pushed the hotfix now.


Cheers,
Franco
Print
Go Up Pages1
User actions