Re: [Sshguard-users] Is sshguard working?

[<li...@la...>]

I think I understand how the rule-number works. Doing the ipfw list, unless a number is specified, all the denies are at the end. That is where my new rule is at the moment. 

How about if I made the new rule be number 2450? 

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 check-state
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state
01400 allow udp from me to any keep-state
01500 allow icmp from me to any keep-state
01600 allow ipv6-icmp from me to any keep-state
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01800 allow udp from any 67 to me dst-port 68 in
01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
02000 allow udp from fe80::/10 to me dst-port 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 allow tcp from any to me dst-port 22
02600 allow tcp from any to me dst-port 25
02700 allow tcp from any to me dst-port 80
02800 allow tcp from any to me dst-port 143
02900 allow tcp from any to me dst-port 443
03000 allow tcp from any to me dst-port 465
03100 allow tcp from any to me dst-port 500
03200 allow tcp from any to me dst-port 993
03300 allow tcp from any to me dst-port 4500
03400 allow tcp from any to me dst-port 110 in setup
03500 allow tcp from any to me dst-port 995 in setup
03600 allow tcp from any to me dst-port 25 in setup
03700 allow tcp from me to any dst-port 25 out setup
03800 allow tcp from any to me dst-port 465 in setup
03900 allow tcp from any to me dst-port 143 in setup
04000 allow tcp from any to me dst-port 993 in setup
65000 count ip from any to any
65100 allow log udp from any to any dst-port 500 keep-state
65200 allow log udp from any 500 to any keep-state
65300 allow log udp from any to any dst-port 4500 keep-state
65400 allow log udp from any 4500 to any keep-state
65500 deny log ip from table(22) to any
65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
65500 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any‎

‎

  Original Message  
From: Willem Jan Withagen
Sent: Friday, August 21, 2015 2:57 AM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?

On 21-8-2015 10:11, li...@la... wrote:
> ‎I cut the table down a bit and I also logged some of the blocking notices. It looks like the offending IPs do enter the table, but the blocking is not occurring, probably due to the "reset" line not being parsed.
>
> I'm assuming table(22) is linked to port 22, hence ssh.

Hi,

It is actually my suggestion long, long ago.
And indeed it suggests the reasons why an IP got blocked.
and indeed 22 = ssh, is ssh-bad-guys.

if you type ípfw list' you should see your reset somewhere.
Put if you just type:
${fwcmd} add deny log all from "table(22)" to any
on the commandline, the rules gets added at the END of the FW-rules.
And there it does not do anything....

You needs to select a sensible place in the order of the rules, and 
insert it at the right place by going:
${fwcmd} add <RULENR> deny log all from "table(22)" to any

If you do that in the /etc/rc.firewall file, then sequencing gets done 
automagically.

--WjW

‎