Menu
▾
▴
Re: [Sshguard-users] New ipfw backend
|
From: Mark F. <fe...@Fr...> - 2015-10-08 18:28:27
|
On Sun, Jun 21, 2015, at 23:43, SASAKI Katuhiro wrote: > Hi. > > > In light of the recent `ipfw` issues I've decided to re-implement the > > `ipfw` backend using the command framework that is used for nearly all > > of the other backends. > > > Great! > > > Please don't test this in a production environment, and if you test it > > at all, be aware that bad things can happen. Please take a look at the > > patch before you try to run this code. > > > I tested the patch with 1.6.0 on my FreeBSD 10.1R/i386. Two problems > below are found. > > 1. In the viewpoint of ipfw , tables are specified by number (0 to > 65535). We can't assign the name like "sshguard" for tables. It > became necessary to replace "sshguard" with some number (22, for > example). > IPFW had a huge overhaul last fall. https://svnweb.freebsd.org/base/head/sbin/ipfw/ipfw.8?revision=272840&view=markup root@gw:~ # uname -a FreeBSD gw.feld.me 11.0-CURRENT FreeBSD 11.0-CURRENT #46 r288524M: Sat Oct 3 06:41:42 CDT 2015 root@gw:~ # ipfw table sshguard add 1.2.3.4/32 DEPRECATED: inserting data into non-existent table sshguard. (auto-created) added: 1.2.3.4/32 0 root@gw:~ # ipfw table sshguard list --- table(sshguard), set(0) --- 1.2.3.4/32 0 > 2. Command "ipfw table [table number] add" can receive only one target > (IP address, and some other search keys) at a time. Using loop in > "COMMAND_BLOCK_LIST" looks reasonable for me. > > Attached is patch for > 0001-Reimplement-ipfw-backend-using-command-framework.patch. > > Thank you. > The release notes for the new IPFW changes mention "Batched add/delete has been added to tables code" but I'm not sure how that is supposed to work. -- Mark Felder ports-secteam member fe...@Fr... |
