Path: blob/main/libexec/blocklistd-helper/blacklistd-helper
48033 views
#!/bin/sh
#echo "run $@" 1>&2
#set -x
# $1 command
# $2 rulename
# $3 protocol
# $4 address
# $5 mask
# $6 port
# $7 id
pf=
if [ -f "/etc/ipfw-blacklist.rc" ]; then
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
echo "@ WARNING: rename /etc/ipfw-blacklist.rc to @" >&2
echo "@ /etc/ipfw-blocklist.rc @" >&2
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
pf="ipfw"
. /etc/ipfw-blacklist.rc
ipfw_offset=${ipfw_offset:-2000}
fi
if [ -z "$pf" ]; then
for f in npf pf ipfilter ipfw; do
if [ -x /etc/rc.d/$f ]; then
if /etc/rc.d/$f status >/dev/null 2>&1; then
pf="$f"
break
fi
elif [ -f "/etc/$f.conf" ]; then
# xxx assume a config file means it can be enabled --
# and the first one wins!
pf="$f"
break
fi
done
fi
if [ -z "$pf" -a -x "/sbin/iptables" ]; then
pf="iptables"
fi
if [ -z "$pf" ]; then
echo "$0: Unsupported packet filter" 1>&2
exit 1
fi
flags=
if [ -n "$3" ]; then
raw_proto="$3"
proto="proto $3"
if [ $3 = "tcp" ]; then
flags="flags S/SAFR"
fi
fi
if [ -n "$6" ]; then
raw_port="$6"
port="port $6"
fi
addr="$4"
mask="$5"
case "$4" in
::ffff:*.*.*.*)
if [ "$5" = 128 ]; then
mask=32
addr=${4#::ffff:}
fi;;
esac
if [ "$pf" = "pf" ]; then
for anchor in $(/sbin/pfctl -s Anchors 2> /dev/null); do
if [ "$anchor" = "blacklistd" ]; then
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
echo "@ WARNING: rename the blacklist anchor to blocklist @" >&2
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
fi
done
fi
if [ "$pf" = "ipfilter" ]; then
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
echo "@ WARNING: blacklist has been renamed to blocklist @" >&2
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
fi
case "$1" in
add)
case "$pf" in
ipfilter)
# N.B.: If you reload /etc/ipf.conf then you need to stop and
# restart blacklistd (and make sure blacklistd_flags="-r").
# This should normally already be implemented in
# /etc/rc.d/ipfilter, but if then not add the following lines to
# the end of the ipfilter_reload() function:
#
# if checkyesnox blacklistd; then
# /etc/rc.d/blacklistd restart
# fi
#
# XXX we assume the following rule is present in /etc/ipf.conf:
# (should we check? -- it probably cannot be added dynamically)
#
# block in proto tcp/udp from any to any head blacklistd
#
# where "blacklistd" is the default rulename (i.e. "$2")
#
# This rule can come before any rule that logs connections,
# etc., and should be followed by final rules such as:
#
# # log all as-yet unblocked incoming TCP connection
# # attempts
# log in proto tcp from any to any flags S/SAFR
# # last "pass" match wins for all non-blocked packets
# pass in all
# pass out all
#
# I.e. a "pass" rule which will be the final match and override
# the "block". This way the rules added by blacklistd will
# actually block packets, and prevent logging of them as
# connections, because they include the "quick" flag.
#
# N.b.: $port is not included/used in rules -- abusers are cut
# off completely from all services!
#
# Note RST packets are not returned for blocked SYN packets of
# active attacks, so the port will not appear to be closed.
# This will probably give away the fact that a firewall has been
# triggered to block connections, but it prevents generating
# extra outbound traffic, and it may also slow down the attacker
# somewhat.
#
# Note also that we don't block all packets, just new attempts
# to open connections (see $flags above). This allows us to do
# counterespionage against the attacker (or continue to make use
# of any other services that might be on the same subnet as the
# supposed attacker). However it does not kill any active
# connections -- we rely on the reporting daemon to do its own
# protection and cleanup.
#
# N.B.: The rule generated here must exactly match the
# corresponding rule generated for the "rem" command below!
#
echo block in log quick $proto \
from $addr/$mask to any $flags group $2 | \
/sbin/ipf -A -f - >/dev/null 2>&1 && echo OK
;;
ipfw)
# use $ipfw_offset+$port for rule number
rule=$(($ipfw_offset + $6))
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
# if rule number $rule does not already exist, create it
/sbin/ipfw show $rule >/dev/null 2>&1 || \
/sbin/ipfw add $rule drop $3 from \
table"("$tname")" to any dst-port $6 >/dev/null && \
echo OK
;;
iptables)
if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then
/sbin/iptables --new-chain "$2"
fi
/sbin/iptables --append INPUT --proto "$raw_proto" \
--dport "$raw_port" --jump "$2"
/sbin/iptables --append "$2" --proto "$raw_proto" \
--source "$addr/$mask" --dport "$raw_port" --jump DROP
echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
;;
pf)
# if the filtering rule does not exist, create it
/sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
grep -q "<port$6>" || \
echo "block in quick $proto from <port$6> to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
/sbin/pfctl -qk "$addr" && echo OK
;;
esac
;;
rem)
case "$pf" in
ipfilter)
# N.B.: The rule generated here must exactly match the
# corresponding rule generated for the "add" command above!
#
echo block in log quick $proto \
from $addr/$mask to any $flags group $2 | \
/sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK
;;
ipfw)
/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
echo OK
;;
iptables)
if /sbin/iptables --list "$2" >/dev/null 2>&1; then
/sbin/iptables --delete "$2" --proto "$raw_proto" \
--source "$addr/$mask" --dport "$raw_port" \
--jump DROP
fi
echo OK
;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
;;
flush)
case "$pf" in
ipfilter)
#
# N.B. WARNING: This is obviously not reentrant!
#
# First we flush all the rules from the inactive set, then we
# reload the ones that do not belong to the group "$2", and
# finally we swap the active and inactive rule sets.
#
/sbin/ipf -I -F a
#
# "ipf -I -F a" also flushes active accounting rules!
#
# Note that accounting rule groups are unique to accounting
# rules and have nothing to do with filter rules, though of
# course theoretically one could use the same group name for
# them too.
#
# In theory anyone using any such accounting rules should have a
# wrapper /etc/rc.conf.d/blacklistd script (and corresponding
# /etc/rc.conf.d/ipfilter script) that will record and
# consolidate the values accumulated by such accounting rules
# before they are flushed, since otherwise their counts will be
# lost forever.
#
/usr/sbin/ipfstat -io | fgrep -v "group $2" | \
/sbin/ipf -I -f - >/dev/null 2>&1
#
# This MUST be done last and separately as "-s" is executed
# _while_ the command arguments are being processed!
#
/sbin/ipf -s && echo OK
;;
ipfw)
/sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
;;
iptables)
if /sbin/iptables --list "$2" >/dev/null 2>&1; then
/sbin/iptables --flush "$2"
fi
echo OK
;;
npf)
/sbin/npfctl rule "$2" flush
;;
pf)
# dynamically determine which anchors exist
for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do
/sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 2> /dev/null
/sbin/pfctl -a "$anchor" -F rules 2> /dev/null
done
echo OK
;;
esac
;;
*)
echo "$0: Unknown command '$1'" 1>&2
exit 1
;;
esac