Skip to content

Commit 8bc655a

Browse files
committed
PR/14: robohack: make packet filter detection more reliable and add
explanatory comments.
1 parent 7179970 commit 8bc655a

1 file changed

Lines changed: 52 additions & 28 deletions

File tree

external/bsd/blocklist/libexec/blocklistd-helper

Lines changed: 52 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -14,19 +14,18 @@ if [ -f "/etc/ipfw-blocklist.rc" ]; then
1414
pf="ipfw"
1515
. /etc/ipfw-blocklist.rc
1616
ipfw_offset=${ipfw_offset:-2000}
17-
else
18-
# ipfilter NetBSD, FreeBSD, Linux
19-
for f in /etc/ipf.conf /etc/ipf.rules /etc/netscript/ipfilter.conf; do
20-
if [ -f "$f" ]; then
21-
pf="ipf"
22-
break
23-
fi
24-
done
2517
fi
2618

2719
if [ -z "$pf" ]; then
28-
for f in npf pf; do
29-
if [ -f "/etc/$f.conf" ]; then
20+
for f in npf pf ipfilter ipfw; do
21+
if [ -x /etc/rc.d/$f ]; then
22+
if /etc/rc.d/$f status >/dev/null 2>&1; then
23+
pf="$f"
24+
break
25+
fi
26+
elif [ -f "/etc/$f.conf" ]; then
27+
# xxx assume a config file means it can be enabled --
28+
# and the first one wins!
3029
pf="$f"
3130
break
3231
fi
@@ -69,14 +68,19 @@ esac
6968
case "$1" in
7069
add)
7170
case "$pf" in
72-
ipf)
71+
ipfilter)
7372
# N.B.: If you reload /etc/ipf.conf then you need to stop and
74-
# restart blocklistd (and make sure blocklistd_flags="-r"):
73+
# restart blocklistd (and make sure blocklistd_flags="-r").
74+
# This should normally already be implemented in
75+
# /etc/rc.d/ipfilter, but if then not add the following lines to
76+
# the end of the ipfilter_reload() function:
7577
#
76-
# /etc/rc.d/ipfilter reload
77-
# /etc/rc.d/blocklistd restart
78+
# if checkyesnox blocklistd; then
79+
# /etc/rc.d/blocklistd restart
80+
# fi
7881
#
7982
# XXX we assume the following rule is present in /etc/ipf.conf:
83+
# (should we check? -- it probably cannot be added dynamically)
8084
#
8185
# block in proto tcp/udp from any to any head blocklistd
8286
#
@@ -97,8 +101,8 @@ add)
97101
# actually block packets, and prevent logging of them as
98102
# connections, because they include the "quick" flag.
99103
#
100-
# N.b.: $port is not included -- abusers are cut off completely
101-
# from all services!
104+
# N.b.: $port is not included/used in rules -- abusers are cut
105+
# off completely from all services!
102106
#
103107
# Note RST packets are not returned for blocked SYN packets of
104108
# active attacks, so the port will not appear to be closed.
@@ -111,12 +115,12 @@ add)
111115
# to open connections (see $flags above). This allows us to do
112116
# counterespionage against the attacker (or continue to make use
113117
# of any other services that might be on the same subnet as the
114-
# attacker). However it does not kill any active connections --
115-
# we rely on the reporting daemon to do its own protection and
116-
# cleanup.
118+
# supposed attacker). However it does not kill any active
119+
# connections -- we rely on the reporting daemon to do its own
120+
# protection and cleanup.
117121
#
118-
# N.B.: The generated must exactly match the rule generated for
119-
# the "rem" command below!
122+
# N.B.: The rule generated here must exactly match the
123+
# corresponding rule generated for the "rem" command below!
120124
#
121125
echo block in log quick $proto \
122126
from $addr/$mask to any $flags group $2 | \
@@ -167,7 +171,10 @@ add)
167171
;;
168172
rem)
169173
case "$pf" in
170-
ipf)
174+
ipfilter)
175+
# N.B.: The rule generated here must exactly match the
176+
# corresponding rule generated for the "add" command above!
177+
#
171178
echo block in log quick $proto \
172179
from $addr/$mask to any $flags group $2 | \
173180
/sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK
@@ -200,19 +207,36 @@ rem)
200207
;;
201208
flush)
202209
case "$pf" in
203-
ipf)
204-
#
205-
# XXX this is a slightly convoluted way to remove all the rules
206-
# in the group added for "$2" (i.e. normally by default
207-
# "blocklistd").
210+
ipfilter)
208211
#
209212
# N.B. WARNING: This is obviously not reentrant!
210213
#
214+
# First we flush all the rules from the inactive set, then we
215+
# reload the ones that do not belong to the group "$2", and
216+
# finally we swap the active and inactive rule sets.
217+
#
211218
/sbin/ipf -I -F a
219+
#
220+
# "ipf -I -F a" also flushes active accounting rules!
221+
#
222+
# Note that accounting rule groups are unique to accounting
223+
# rules and have nothing to do with filter rules, though of
224+
# course theoretically one could use the same group name for
225+
# them too.
226+
#
227+
# In theory anyone using any such accounting rules should have a
228+
# wrapper /etc/rc.conf.d/blocklistd script (and corresponding
229+
# /etc/rc.conf.d/ipfilter script) that will record and
230+
# consolidate the values accumulated by such accounting rules
231+
# before they are flushed, since otherwise their counts will be
232+
# lost forever.
233+
#
212234
/usr/sbin/ipfstat -io | fgrep -v "group $2" | \
213235
/sbin/ipf -I -f - >/dev/null 2>&1
214-
# XXX this MUST be done last and separately as "-s" is executed
236+
#
237+
# This MUST be done last and separately as "-s" is executed
215238
# _while_ the command arguments are being processed!
239+
#
216240
/sbin/ipf -s && echo OK
217241
;;
218242

0 commit comments

Comments
 (0)