Attachment #231126 for bug #261304




PORTNAME=	crowdsec-firewall-bouncer
PORTVERSION=	0.0.22  # NOTE: change BUILD_VERSION and BUILD_TAG as well
#PORTREVISION=	
DISTVERSIONPREFIX=	v
CATEGORIES=	security


USE_GITHUB=	yes
GH_ACCOUNT=	crowdsecurity
GH_PROJECT=	cs-firewall-bouncer
GH_TAGNAME=	v0.0.22-freebsd
#GH_TAGNAME is automatically set from DISTVERSION

USE_RC_SUBR=	crowdsec_firewall


# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
# BUILD_TAG=$(git rev-parse HEAD)
MAKE_ENV=	BUILD_VERSION="v0.0.22" \
		BUILD_TAG="50336d1ecdd97b296c3d9d4f1604afd4d59c4c3f"

ETCDIR=		${PREFIX}/etc/crowdsec/bouncers


Lines 1-3 Link Here

(-)b/security/crowdsec-firewall-bouncer/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1640213523	1	TIMESTAMP = 1642465397
2	SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171	2	SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.22-v0.0.22-freebsd_GH0.tar.gz) = c2c9eddeb52db34216fcbc540e001f7d0742c5363b78307f30de24e19cf6e57a
3	SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717	3	SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.22-v0.0.22-freebsd_GH0.tar.gz) = 3018814

Lines 1-2 Link Here

(-)b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog (-1 / +1 lines)
1	# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num]	1	# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num]
2	/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid	2	/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 20480 * JC /var/run/crowdsec_firewall.pid

Lines 9-14 Link Here

(-)b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in (-2 / +7 lines)
9	#	9	#
10	# crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall.	10	# crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall.
11	# Default is "NO"	11	# Default is "NO"
		12	# crowdsec_firewall_config (str): Set the bouncer config path.
		13	# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml"
		14	# crowdsec_firewall_flags (str): extra flags to run bouncer.
		15	# Default is ""
12		16
13	. /etc/rc.subr	17	. /etc/rc.subr
14		18
Lines 20-25 load_rc_config $name Link Here
20		24
21	: "${crowdsec_firewall_enable:=NO}"	25	: "${crowdsec_firewall_enable:=NO}"
22	: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"	26	: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"
		27	: "${crowdsec_firewall_flags:=}"
23		28
24	pidfile=/var/run/${name}.pid	29	pidfile=/var/run/${name}.pid
25	required_files="$crowdsec_firewall_config"	30	required_files="$crowdsec_firewall_config"
Lines 43-49 crowdsec_firewall_precmd() { Link Here
43	fi	48	fi
44		49
45	# needs real tabs	50	# needs real tabs
46	cat <<-EOT \| /sbin/pfctl -f /dev/fd/0	51	cat <<-EOT \| /sbin/pfctl -a crowdsec -f -
47	table <crowdsec-blacklists> persist	52	table <crowdsec-blacklists> persist
48	table <crowdsec6-blacklists> persist	53	table <crowdsec6-blacklists> persist
49	block drop in quick from <crowdsec-blacklists> to any	54	block drop in quick from <crowdsec-blacklists> to any
Lines 54-60 crowdsec_firewall_precmd() { Link Here
54		59
55	crowdsec_firewall_start() {	60	crowdsec_firewall_start() {
56	/usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \	61	/usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
57	${command} -c "${crowdsec_firewall_config}"	62	${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags}
58	}	63	}
59		64
60	run_rc_command "$1"	65	run_rc_command "$1"




--- pf.go.orig	2022-01-18 11:38:14 UTC
+++ pf.go
@@ -66,7 +66,7 @@ func newPF(config *bouncerConfig) (interface{}, error)
 func (ctx *pfContext) checkTable() error {
 	log.Infof("Checking pf table: %s", ctx.table)
 
-	cmd := exec.Command(pfctlCmd, "-s", "Tables")
+	cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-s", "Tables")
 	out, err := cmd.CombinedOutput()
 
 	if err != nil {
@@ -79,7 +79,7 @@ func (ctx *pfContext) checkTable() error {
 }
 
 func (ctx *pfContext) shutDown() error {
-	cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "flush")
+	cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "flush")
 	log.Infof("pf table clean-up : %s", cmd.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
 		log.Errorf("Error while flushing table (%s): %v --> %s", cmd.String(), err, string(out))
@@ -94,7 +94,7 @@ func (ctx *pfContext) Add(decision *models.Decision) e
 		return err
 	}
 	log.Debugf(addBanFormat, backendName, *decision.Value, strconv.Itoa(int(banDuration.Seconds())), *decision.Scenario)
-	cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "add", *decision.Value)
+	cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "add", *decision.Value)
 	log.Debugf("pfctl add : %s", cmd.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
 		log.Infof("Error while adding to table (%s): %v --> %s", cmd.String(), err, string(out))
@@ -109,7 +109,7 @@ func (ctx *pfContext) Delete(decision *models.Decision
 		return err
 	}
 	log.Debugf(delBanFormat, backendName, *decision.Value, strconv.Itoa(int(banDuration.Seconds())), *decision.Scenario)
-	cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "delete", *decision.Value)
+	cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "delete", *decision.Value)
 	log.Debugf("pfctl del : %s", cmd.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
 		log.Infof("Error while deleting from table (%s): %v --> %s", cmd.String(), err, string(out))




Enabling pf.
----------

Add the following in /etc/pf.conf to create the firewall tables and rules:

----------
anchor crowdsec
crowdsec_firewall_enable: NO -> YES
# service crowdsec_firewall start
----------

To apply the file:

# pfctl -f /etc/pf.conf

Then activate the bouncer via sysrc and run it:

----------
# sysrc crowdsec_firewall_enable="YES"
crowdsec_firewall_enable: NO -> YES
# service crowdsec_firewall start
# pfctl -s Tables -s rules
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
----------

EOM
- 

Return to bug 261304

Lines 1-5 Link Here

(-)b/security/crowdsec-firewall-bouncer/Makefile (-4 / +5 lines)
1	PORTNAME= crowdsec-firewall-bouncer	1	PORTNAME= crowdsec-firewall-bouncer
2	PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well	2	PORTVERSION= 0.0.22 # NOTE: change BUILD_VERSION and BUILD_TAG as well
		3	#PORTREVISION=
3	DISTVERSIONPREFIX= v	4	DISTVERSIONPREFIX= v
4	CATEGORIES= security	5	CATEGORIES= security
5		6
Lines 19-25 RUN_DEPENDS= crowdsec>0:security/crowdsec Link Here
19	USE_GITHUB= yes	20	USE_GITHUB= yes
20	GH_ACCOUNT= crowdsecurity	21	GH_ACCOUNT= crowdsecurity
21	GH_PROJECT= cs-firewall-bouncer	22	GH_PROJECT= cs-firewall-bouncer
22	GH_TAGNAME= v0.0.20-freebsd	23	GH_TAGNAME= v0.0.22-freebsd
23	#GH_TAGNAME is automatically set from DISTVERSION	24	#GH_TAGNAME is automatically set from DISTVERSION
24		25
25	USE_RC_SUBR= crowdsec_firewall	26	USE_RC_SUBR= crowdsec_firewall
Lines 29-36 SUB_FILES= pkg-message \ Link Here
29		30
30	# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))	31	# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
31	# BUILD_TAG=$(git rev-parse HEAD)	32	# BUILD_TAG=$(git rev-parse HEAD)
32	MAKE_ENV= BUILD_VERSION="v0.0.20" \	33	MAKE_ENV= BUILD_VERSION="v0.0.22" \
33	BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310"	34	BUILD_TAG="50336d1ecdd97b296c3d9d4f1604afd4d59c4c3f"
34		35
35	ETCDIR= ${PREFIX}/etc/crowdsec/bouncers	36	ETCDIR= ${PREFIX}/etc/crowdsec/bouncers
36		37

Added Link Here

(-)b/security/crowdsec-firewall-bouncer/files/patch-pf.go (+38 lines)
1	--- pf.go.orig 2022-01-18 11:38:14 UTC
2	+++ pf.go
3	@@ -66,7 +66,7 @@ func newPF(config *bouncerConfig) (interface{}, error)
4	func (ctx *pfContext) checkTable() error {
5	log.Infof("Checking pf table: %s", ctx.table)
6
7	- cmd := exec.Command(pfctlCmd, "-s", "Tables")
8	+ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-s", "Tables")
9	out, err := cmd.CombinedOutput()
10
11	if err != nil {
12	@@ -79,7 +79,7 @@ func (ctx *pfContext) checkTable() error {
13	}
14
15	func (ctx *pfContext) shutDown() error {
16	- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "flush")
17	+ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "flush")
18	log.Infof("pf table clean-up : %s", cmd.String())
19	if out, err := cmd.CombinedOutput(); err != nil {
20	log.Errorf("Error while flushing table (%s): %v --> %s", cmd.String(), err, string(out))
21	@@ -94,7 +94,7 @@ func (ctx pfContext) Add(decision models.Decision) e
22	return err
23	}
24	log.Debugf(addBanFormat, backendName, decision.Value, strconv.Itoa(int(banDuration.Seconds())), decision.Scenario)
25	- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "add", *decision.Value)
26	+ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "add", *decision.Value)
27	log.Debugf("pfctl add : %s", cmd.String())
28	if out, err := cmd.CombinedOutput(); err != nil {
29	log.Infof("Error while adding to table (%s): %v --> %s", cmd.String(), err, string(out))
30	@@ -109,7 +109,7 @@ func (ctx pfContext) Delete(decision models.Decision
31	return err
32	}
33	log.Debugf(delBanFormat, backendName, decision.Value, strconv.Itoa(int(banDuration.Seconds())), decision.Scenario)
34	- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "delete", *decision.Value)
35	+ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "delete", *decision.Value)
36	log.Debugf("pfctl del : %s", cmd.String())
37	if out, err := cmd.CombinedOutput(); err != nil {
38	log.Infof("Error while deleting from table (%s): %v --> %s", cmd.String(), err, string(out))

Lines 21-43 pf_enable: NO -> YES Link Here

(-)b/security/crowdsec-firewall-bouncer/files/pkg-message.in (-12 / +10 lines)
21	Enabling pf.	21	Enabling pf.
22	----------	22	----------
23		23
24	Then activate the bouncer via sysrc:	24	Add the following in /etc/pf.conf to create the firewall tables and rules:
25		25
26	----------	26	----------
27	# sysrc crowdsec_firewall_enable="YES"	27	anchor crowdsec
28	crowdsec_firewall_enable: NO -> YES
29	# service crowdsec_firewall start
30	----------	28	----------
31		29
32	After a few seconds, the bouncer should have created the tables and rules:	30	To apply the file:
		31
		32	# pfctl -f /etc/pf.conf
		33
		34	Then activate the bouncer via sysrc and run it:
33		35
34	----------	36	----------
35	# pfctl -s Tables	37	# sysrc crowdsec_firewall_enable="YES"
36	crowdsec-blacklists	38	crowdsec_firewall_enable: NO -> YES
37	crowdsec6-blacklists	39	# service crowdsec_firewall start
38	# pfctl -s Tables -s rules
39	block drop in quick from <crowdsec-blacklists> to any
40	block drop in quick from <crowdsec6-blacklists> to any
41	----------	40	----------
42		41
43	EOM	42	EOM
44	-