blacklistd: spurious whitelisting of IPs

Fri, 29 May 2020 10:31:50 -0700 


Greetings.


[I originally posted this to freebsd-questions, but that may have been 
the wrong list; I hope this one is right]



My blacklistctl dump -a output currently looks a bit like this (IP 
addresses partially redacted):


        address/ma:port id      nfail   last access
130.209.XX.XX/32:22             0/-1    1970/01/01 01:00:00
 130.209.XX.XX/32:22            6/-1    2020/05/18 11:30:19
  194.XX.XX.XX/32:22            3/-1    2020/05/29 00:35:05
  194.XX.XX.XX/32:22            154/-1  2020/05/29 12:13:21
  [...]
      85.130.2.35/32:22         1/4     2020/05/29 10:28:30
  [...]


The 130.209 is the local /16.  The odd thing is the -1 as the nfail 
limit, meaning 'do not block' or 'whitelisted', which I can't explain.  
That is, I see a number of lines that I expect, but a good number of 
nfail=-1 lines in these two netblocks 130.209.0.0/16 and 194.0.0.0/8.  I 
see no nfail=-1 lines outside these netblocks.


My blacklistd.conf looks like:

    [local]
    ssh         stream  *       *               *       4       24h
    ftp         stream  *       *               *       3       24h
    smtp                stream  *       *               *       3       24h
    submission  stream  *       *               *       3       24h
    *           *       *       *               *       3       60
    [remote]
    130.209.XX.XX:ssh * *       *               *       *       *
    194.XX.XX.XX:ssh *  *       *               *       *       *
    130.209.XX.XX:ssh * *       *               *       *       *


The [local] stanza is almost the default; the [remote] explicitly 
whitelists three machines.



But the whitelisted machines _do not_ match the nfail=-1 machines in the 
blacklistctl output.  They're in the same 130.209.0.0/16 and 
194.0.0.0/8, but are not the same IP address.



It's as if the [remote] lines were being parsed as 130.209.0.0/16:ssh 
and 194.0.0.0/8:ssh, but there's nothing in the by-hand parser of the 
.conf file that suggests that's what's happening (see 
<https://github.com/freebsd/freebsd/blob/master/contrib/blacklist/bin/conf.c> 
lines 224 and 586, last changed March 2018).


What's going on?  Why are those ranges whitelisted?

A little background:


The machine this is running on is hosting three jails (one of which is 
the bastion host that this is really protecting, and the blacklistd is 
listening on sockets in both the host and the bastion jail), it has four 
IP addresses (one host plus three jails, two of which are in the 
172.16.0.0/12 private IP range), and it has a non-trivial, but not 
particularly complicated pf firewall configuration.  This is the 
blacklistd in FreeBSD 12.0-RELEASE-p8 (I can't find a version option on 
blacklistd nor any version strings in the blacklistd binary).


I'm perplexed.

Best wishes,

Norman


--
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"














    











					Reply via email to