Re: ippool not working?

To: Louis Guillaume <louis%zabrico.com@localhost>
Subject: Re: ippool not working?
From: Brad Spencer <brad%anduin.eldar.org@localhost>
Date: Wed, 02 Jan 2019 19:21:59 -0500

Louis Guillaume <louis%zabrico.com@localhost> writes:

> Hi - I wonder what might be going wrong here...
>
> # ippool -f /etc/ippool.conf
> syntax error error at "file", line 1
>
> # cat /etc/ippool.conf
> pool ipf/tree (name "robots";)
> 	{ file:///etc/ipf/ssh_robot_blacklist; };
>
> # head /etc/ipf/ssh_robot_blacklist
> 1.0.247.245/32
> 1.1.166.18/32
> 1.109.1.54/32
> 1.119.12.115/32
> 1.119.3.58/32
> 1.160.77.160/32
> 1.160.8.216/32
> 1.162.178.160/32
> 1.163.174.40/32
> 1.163.87.241/32
>
>
> ... Is the "file" option not supported?
>
> I'm trying to avoid having thousands of rules in ipf.conf by doing a
>
>    block in quick on vr3 from tree/robots to any
>
> Any help would be great,
>
> Louis

Hello.....

I use ippool with ipf all of the time and for many years, but in a
slightly different manor.  I don't know if the file directive works in
the manor you are attempting, but the following does work:

table role = ipf type = hash name = blocklist size = 70000
{
1.2.3.4/32;
.
.
. [put the ip addresses here]
.
.
.
};

The above is the format of my /etc/ippool.conf which gets updated as
blocked ip addresses are added.  After an update I do:

/etc/rc.d/ipfilter start
/etc/rc.d/ippool restart
/etc/rc.d/ipfilter start

The purpose of this sequence was that in the NetBSD 4.x days it was the
only way to get the pool updated and ipf happy with the new contents of
the pool, and I never bothered to test if that sort of thing is still
needed in the 7.x or 8.x era.  All /etc/rc.d/ippool does is provides a
stop/start/status/reload sort of thing to manage the pool.  I wrote it a
long time ago to help kick start the population of the pool.

It appears that you may have a candidate IP address list so if you can
form up your ippool.conf more directly you may be able to get it to
work.

I will say that there are some bugs in ippool, especially if you do not
give the system enough memory, but I have not found anything very bad
about it.  IPv6 is suppose to work, but I have never tried using a IPv6
address in a pool.

I have hopes of being able to move to NPF, which appears to have better
pool support, but I am not clear if BRIDGE_IPF or something like that is
supported and I really need that.

-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org

References:
- ippool not working?
  - From: Louis Guillaume

Prev by Date: ippool not working?
Next by Date: Re: ippool not working?
Previous by Thread: ippool not working?
Next by Thread: Re: ippool not working?
Indexes:

Home | Main Index | Thread Index | Old Index