Re: No ipf in RPI2 evbarm 7.0.2 kernel?

[Emilian Bold <emilian.bold%gmail.com@localhost>]

Wow! So... I just want to block an IP based on the nginx log.

I first thought that fail2ban is the right approach. Except fail2ban
doesn not seem to work on NetBSD. There is a fail2ban package, it
runs, but then it tries to call `iptables` for the actual blocking /
unblocking and fails because there is no `iptables` binary present in
NetBSD.

Then, I figured I could use /etc/hosts.deny except nginx does not use
TCP Wrapper so it does not respect that either.

Then I figured I can use some firewall. Google gave me `ipf`, I do
have /sbin/ipf on my install so I figured to use that one! Except, it
apparently needs a manually compiled kernel to enable that module.

Now, I should look into `npfd` which might or might not work (I do see
/dev/npf and /etc/rc.d/npf so that's promising).

Or, I could just try to do the blocking at nginx level. Which should
work, although it might not be as good as somebody attaching the web
server might also try to attach the SSH daemon...

This is amazingly complicated!

There's also `blacklistd` which sounds perfect except it seems to
require application-level support, which nginx probably does not have
either.

Honestly I would love to have just an /etc/blockips.conf file which
has IPs or CIDR addresses and maps to whatever underlying firewall
there is on the system. I just want something simple, not do the
routing for a small intranet, don't give me all these grammars to
learn. (Not criticising the support I got so far, which is awesome,
just the tooling status quo).


--emi


On Fri, Jul 6, 2018 at 11:20 AM,  <maya%netbsd.org@localhost> wrote:
> please try npf, if you have a reason not to use npf please document it.
> it's purely for cultural reasons that the other two still exist in
> netbsd.