Bug 214315 - secuyrity/sshguard with ipfw does not work in FreeBSD 11.0
Summary: secuyrity/sshguard with ipfw does not work in FreeBSD 11.0
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Many People
Assignee: Mark Felder
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-08 12:22 UTC by Vladislav V. Prodan
Modified: 2016-12-28 19:39 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladislav V. Prodan 2016-11-08 12:22:14 UTC
sshguard with ipfw does not work in FreeBSD 11.0
And since sshguard called via syslog, and the service syslogd crashed.

I understand that the problem is a change in the format of ipfw table FreeBSD 11.0

# /usr/local/sbin/sshguard -a 60 -p 420 -s 1200 -b 120:/var/db/sshguard/blacklist.db
ipfw: failed to request table info: No such process
Could not initialize firewall

# ipfw show
00010    6534    1598558 allow ip from any to any via lo0
65533 5160642  355170504 allow ip from any to any
65534       0          0 allow ip6 from any to any
65535      16       1268 allow ip from any to any

# uname -a
FreeBSD tank.XXX.ua 11.0-STABLE FreeBSD 11.0-STABLE #0 r307394: Fri Oct 21 00:28:11 EEST 2016     root@tank.XXX.ua:/usr/obj/usr/src/sys/tank.XXX.ua.4  amd64


# /usr/local/sbin/sshguard -v
sshguard 1.7.0

# grep sshguard /etc/syslog.conf
auth.info;authpriv.info | exec /usr/local/sbin/sshguard -a 60 -p 420 -s 1200 -b 120:/var/db/sshguard/blacklist.db


# cat /var/db/ports/security_sshguard/options
# This file is auto-generated by 'make config'.
# Options for sshguard-1.7.0_1
_OPTIONS_READ=sshguard-1.7.0_1
_FILE_COMPLETE_OPTIONS_LIST= IPFW NULL PF
OPTIONS_FILE_SET+=IPFW
OPTIONS_FILE_UNSET+=NULL
OPTIONS_FILE_UNSET+=PF
Comment 1 Mark Felder freebsd_committer 2016-11-08 20:07:56 UTC
The syslog method has not been supported for some time. Please don't run it that way. It's not considered reliable/stable by upstream anymore.

Also ipfw support for sshguard no longer auto-creates the ipfw rules required for it to work. You're expected to add your own table and block rule and sshguard just populates the table (table named 22, as non-numeric tables aren't supported before 11-RELEASE.)

I understand this is unexpected behavior, but I encourage you to contact upstream via the mailing list. Kevin is very responsive to real user feedback.
Comment 2 Kevin Zheng 2016-12-28 19:39:31 UTC
There was a little bit of misunderstanding. In FreeBSD 11, it is no longer valid to add addresses to a table before creating it. In the past, SSHGuard could simply add addresses to a table without having created it first. This doesn't change the fact that users must still block the table with their own rule.

This is probably a good local change to keep around until the next version rolls around to support FreeBSD 11:

--- a/src/fwalls/ipfw.sh
+++ b/src/fwalls/ipfw.sh
@@ -5,7 +5,9 @@
 IPFW_TABLE=22
 
 fw_init() {
-    ipfw table ${IPFW_TABLE} list > /dev/null
+    # Starting in FreeBSD 11, tables must first be created.
+    ipfw table ${IPFW_TABLE} create 2>/dev/null || \
+        ipfw table ${IPFW_TABLE} list > /dev/null
 }
 
 fw_block() {
@@ -21,5 +23,5 @@ fw_flush() {
 }
 
 fw_fin() {
-    :
+    ipfw table ${IPFW_TABLE} destroy 2>/dev/null
 }

Alternatively, as the reporter suggests, run `ipfw table 22 create` manually.