Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: blocklist puzzle



> On 18. Feb 2023, at 23:34, Patrick Welche <prlw1%welche.eu@localhost> wrote:
> 
> 12 hours after rebooting
> 
> # npfctl rule blocklistd list
> block in final family inet4 proto tcp from 61.177.173.35/32 to any port 22 # id="1"
> #
> 
> contains a single block, yet /var/log/messages is full:
> 
> Feb 18 17:47:44 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> Feb 18 18:18:00 mail blocklistd[596]: released 171.225.184.179/32:22 after 172800 seconds
> Feb 18 18:18:07 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> Feb 18 18:35:18 mail blocklistd[596]: blocked 31.41.244.124/32:22 for 172800 seconds
> Feb 18 18:48:10 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> Feb 18 19:18:02 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> Feb 18 20:18:13 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> Feb 18 20:47:46 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> Feb 18 21:17:48 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> Feb 18 21:47:55 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> 
> 
> 
> If something were misconfigured, I would expect no hosts in the ruleset,
> rather than some (or one). How can this work partially?
> 
> extract of npf.conf:
> 
> group "external" on $ext_if {
>        pass stateful out final all
> 
>        ruleset "blocklistd"
> 
> ...

Looks like your ruleset "blocklistd" never fires as the rule above is "final all".

--
J. Hannken-Illjes - hannken%mailbox.org@localhost

Attachment: signature.asc
Description: Message signed with OpenPGP



Home | Main Index | Thread Index | Old Index