crowdsecurity / pfSense-pkg-crowdsec

54 stars 2 forks source link

Alias list empty when Remediation component is inactive #57

Closed ToeiRei closed 1 year ago

ToeiRei commented 1 year ago

I tested and verified:

As soon as you have the bouncer turned off, the alias crowdsec(6)_blacklists are empty. As soon as you turn the bouncer on again, it's filled with the proper lists (I compared against my blocklist-mirror)

mmetc commented 1 year ago

Hi!

Yes, the firewall bouncer cleans up the tables when the service stops, unless there is a bad crash (kill -9). It does the same on linux with iptables or nftables. If you use custom rules you need the bouncer to run.

You see a different behavior on the blocklist mirror becase the data is handed off to pfBlockerNG which is then responsible for updates and removal.

I'll try to make it clear in the documentation, thanks!

ToeiRei commented 1 year ago

I do not run pfBlocker or anything - just the pfSense package. And without the bouncer active, lists stay empty.

mmetc commented 1 year ago

Oh sorry, when you said "my blocklist-mirror", I thought you connected it to pfBlocker.

I understand you have custom rules, you disabled the ones created by pfSense-pkg-crowdsec, and that's ok.

So your custom rules apply to the IPs listed in crowdsec(6)_blacklists, and these are maintained by the firewall bouncer. It's the only crowdsec component that knows about pf aliases, and it's its only duty.

Let me know if I misunderstood anything.

ToeiRei commented 1 year ago

My blocklist mirror is the cs-blocklist-mirror from my installation that I still keep and am able to compare to the pfSense package blocklist aliases

mmetc commented 1 year ago

The components are

crowdsec -> bouncer -> alias table -> rules

You can replace the rules but the data has to come from somewhere, and it's the bouncer. The bouncer doesn't know anything about rules, it just fills the IP tables.

If you could tell me what was the original issue (syntax error in /tmp/rules.test.packages as mentioned by https://github.com/crowdsecurity/pfSense-pkg-crowdsec/issues/55 ) I could fix it.

You also say "I added the bouncer to an interface not connected" -- again, it's the rules that are applied to interfaces, the bouncer only knows about alias tables.

ToeiRei commented 1 year ago

I can show you the problem as I showed it to jack on discord. Feel free to ping me.

mmetc commented 1 year ago

Hi,

I'm sorry for the delay, can you see if your problem is solved with this version?

You need install the four packages, check settings and apply

https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/tag/v0.0.4

If you still have the issue we'll have a look, thanks

ToeiRei commented 1 year ago

image

mmetc commented 1 year ago

Now, this table is created by the plugin and filled by the remediation component. Even if you don't use the default rules (which should not give you syntax error anymore) you need the bouncer running. Does it work ,or is there a reason you cannot use it?

ToeiRei commented 1 year ago

I'm using it now and disabled the rules. Much better now as I run different rules just using the blocklist as needed