Re: No ipf in RPI2 evbarm 7.0.2 kernel?

To: Robert Swindells <rjs%fdy2.co.uk@localhost>
Subject: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
From: Emilian Bold <emilian.bold%gmail.com@localhost>
Date: Fri, 6 Jul 2018 23:59:05 +0300

npf seems to function. Feedback:

* the npf.conf(5) man page example is too long so I just created a
shorter .conf file with only the blocklist. This is how I managed to
lock myself out as I guess the default group just blocks everything by
default.

* I needed to add npf to /etc/modules.conf which is not documented

* I cannot use log: npflog0. ifconfig fails although I'm also loading
the npf_ext_log and npf_ext_normalize modules in /etc/modules.conf
(this is luckily mentioned in the example)

 # ifconfig npflog0 create
ifconfig: clone_command: Invalid argument
ifconfig: exec_matches: Invalid argument

* the example has a `table <blacklist> type hash file` which doesn't
work with CIDRs for some reason, it needs a 'type tree' file, whatever
that is.

*  `npfctl reload` is opaque and fails although `validate` doesn't
complain. The error:

npfctl: npfctl_config_send: Invalid argument

is not telling you anything. Turns out my /etc/npf_blacklist file
(which gets loaded in the table) is too long! 500 lines seems to be
the max. Why?

* npfctl table add is cool but it would be nice to actually write to the file.

Anyhow, npf is looking much better! I now suspect one could tweak
fail2ban to use a npf table file and just call `npf reload` when
blocking / unblocking IPs.

--emi

On Fri, Jul 6, 2018 at 1:00 PM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>
> Emilian Bold <emilian.bold%gmail.com@localhost> wrote:
>>Wow! So... I just want to block an IP based on the nginx log.
>
> Ok.
>
> You already have the IP addresses in a file so don't need to have
> extra application support to detect and respond to new ones.
>
> Maybe run a script at regular intervals to extract the addresses
> and do something with them.
>
>>Honestly I would love to have just an /etc/blockips.conf file which
>>has IPs or CIDR addresses and maps to whatever underlying firewall
>>there is on the system. I just want something simple, not do the
>>routing for a small intranet, don't give me all these grammars to
>>learn. (Not criticising the support I got so far, which is awesome,
>>just the tooling status quo).
>
> The npf examples in /usr/share/examples/npf show how to set up a
> table of addresses to block.
>
> This table can be initialized from a list of addresses in a file
> and/or you can add addresses individually using 'npfctl table ...'.
>
>

Follow-Ups:
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold

References:
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Robert Swindells

Prev by Date: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Next by Date: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Previous by Thread: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Next by Thread: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Indexes:

Home | Main Index | Thread Index | Old Index