Closed stephdl closed 2 months ago
QA
Install crowdsec ghcr.io/nethserver/crowdsec:1.0.7-dev.3
Now the test is really fun, we run the bouncer inside a container, however the test must be done on debian and rocky9
As a side note we do not remove permanent rules of firewalld nor remove deb and rpm of crowdsec-firewall-bouncer-iptables, we just stop and disable it
test case 1
add-module ghcr.io/nethserver/crowdsec:1.0.7-dev.3
systemctl status crowdsec1 crowdsec1-firewall-bouncer
nft list set ip crowdsec crowdsec-blacklists
nft list set ip6 crowdsec6 crowdsec6-blacklists
cscli parsers remove crowdsecurity/whitelists
systemctl restart crowdsec1
cscli decisions list
cscli decisions delete -i xxx.xxx.xxx.xxx
systemctl restart firewalld && firewall-cmd --reload
test case 2
add-module ghcr.io/nethserver/crowdsec:1.0.6
api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/crowdsec:1.0.7-dev.3","instances":["crowdsec1"],"force":true}'
systemctl status crowdsec1 crowdsec1-firewall-bouncer
systemctl status crowdsec-firewall-bouncer
ipset -L
iptables -L
nft list set ip crowdsec crowdsec-blacklists
nft list set ip6 crowdsec6 crowdsec6-blacklists
cscli parsers remove crowdsecurity/whitelists
systemctl restart crowdsec1
cscli decisions list
cscli decisions delete -i xxx.xxx.xxx.xxx
systemctl restart firewalld && firewall-cmd --reload
Test case 1: OK
Test case 2: NOK
On a single Rocky node it works. On a Debian cluster node after a firewall-cmd --reload the rules aren't there anymore:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
QA note
In some Debian installations (i.e. Digital Ocean hosting) the nft
command is not installed.
apt install nftables
In testing crowdsec 1.0.7-dev.4
Test case
Repeat test cases 1 and 2. Notice that
new testing version 1.0.7-dev.4
the cscli
command was moved into the module environment. Invocation becomes for instance:
runagent -m crowdsec1 cscli ...
the bouncer service name is now crowdsec1-firewall-bouncer.service
(notice the MODULE_ID is used as service name prefix)
on Rocky Linux:
On Debian:
Note for Debian: used DO VPS so I needed to install nftables
tool.
VERIFIED
Verified additional fix, and test case https://community.nethserver.org/t/ns8-crowdsec-limited-domain-levels-in-allow-list/23301/7
Steps to reproduce
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@R1-pve ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists src
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@R1-pve ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@R1-pve ~]# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination