Re: blocklist puzzle

To: "J. Hannken-Illjes" <hannken%mailbox.org@localhost>
Subject: Re: blocklist puzzle
From: Patrick Welche <prlw1%welche.eu@localhost>
Date: Sun, 19 Feb 2023 12:59:23 +0000

On Sun, Feb 19, 2023 at 09:52:24AM +0100, J. Hannken-Illjes wrote:
> > On 18. Feb 2023, at 23:34, Patrick Welche <prlw1%welche.eu@localhost> wrote:
> > 
> > 12 hours after rebooting
> > 
> > # npfctl rule blocklistd list
> > block in final family inet4 proto tcp from 61.177.173.35/32 to any port 22 # id="1"
> > #
> > 
> > contains a single block, yet /var/log/messages is full:
> > 
> > Feb 18 17:47:44 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> > Feb 18 18:18:00 mail blocklistd[596]: released 171.225.184.179/32:22 after 172800 seconds
> > Feb 18 18:18:07 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> > Feb 18 18:35:18 mail blocklistd[596]: blocked 31.41.244.124/32:22 for 172800 seconds
> > Feb 18 18:48:10 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> > Feb 18 19:18:02 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> > Feb 18 20:18:13 mail blocklistd[596]: blocked 195.226.194.142/32:22 for 172800 seconds
> > Feb 18 20:47:46 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> > Feb 18 21:17:48 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> > Feb 18 21:47:55 mail blocklistd[596]: blocked 195.226.194.242/32:22 for 172800 seconds
> > 
> > 
> > 
> > If something were misconfigured, I would expect no hosts in the ruleset,
> > rather than some (or one). How can this work partially?
> > 
> > extract of npf.conf:
> > 
> > group "external" on $ext_if {
> >        pass stateful out final all
> > 
> >        ruleset "blocklistd"
> > 
> > ...
> 
> Looks like your ruleset "blocklistd" never fires as the rule above is "final all".

I thought this would only apply to packets on their way out, whereas the
blocking should happen on the way in?

npf.conf(5) gives the example:

     group "external" on $ext_if {
             pass stateful out final all

             block in final from <blocklist>
...
which suggests that it should work?

"npfctl rule blocklistd list" also lists more hosts today, so it at least
works _sometimes_.

The puzzle is this apparent _sometimes_ - I would expect an empty list if
this were misconfigured, which is why I can't guess where to look for the
problem.


Cheers,

Patrick

References:
- blocklist puzzle
  - From: Patrick Welche
- Re: blocklist puzzle
  - From: Patrick Welche
- Re: blocklist puzzle
  - From: J. Hannken-Illjes

Prev by Date: Automated report: NetBSD-current/i386 test failure
Next by Date: Re: bta2dpd plays too fast
Previous by Thread: Re: blocklist puzzle
Indexes:

Home | Main Index | Thread Index | Old Index