Closed ToeiRei closed 1 year ago
Hi!
Yes, the firewall bouncer cleans up the tables when the service stops, unless there is a bad crash (kill -9). It does the same on linux with iptables or nftables. If you use custom rules you need the bouncer to run.
You see a different behavior on the blocklist mirror becase the data is handed off to pfBlockerNG which is then responsible for updates and removal.
I'll try to make it clear in the documentation, thanks!
I do not run pfBlocker or anything - just the pfSense package. And without the bouncer active, lists stay empty.
Oh sorry, when you said "my blocklist-mirror", I thought you connected it to pfBlocker.
I understand you have custom rules, you disabled the ones created by pfSense-pkg-crowdsec, and that's ok.
So your custom rules apply to the IPs listed in crowdsec(6)_blacklists, and these are maintained by the firewall bouncer. It's the only crowdsec component that knows about pf aliases, and it's its only duty.
Let me know if I misunderstood anything.
My blocklist mirror is the cs-blocklist-mirror from my installation that I still keep and am able to compare to the pfSense package blocklist aliases
The components are
crowdsec -> bouncer -> alias table -> rules
You can replace the rules but the data has to come from somewhere, and it's the bouncer. The bouncer doesn't know anything about rules, it just fills the IP tables.
If you could tell me what was the original issue (syntax error in /tmp/rules.test.packages as mentioned by https://github.com/crowdsecurity/pfSense-pkg-crowdsec/issues/55 ) I could fix it.
You also say "I added the bouncer to an interface not connected" -- again, it's the rules that are applied to interfaces, the bouncer only knows about alias tables.
I can show you the problem as I showed it to jack on discord. Feel free to ping me.
Hi,
I'm sorry for the delay, can you see if your problem is solved with this version?
You need install the four packages, check settings and apply
https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/tag/v0.0.4
If you still have the issue we'll have a look, thanks
Now, this table is created by the plugin and filled by the remediation component. Even if you don't use the default rules (which should not give you syntax error anymore) you need the bouncer running. Does it work ,or is there a reason you cannot use it?
I'm using it now and disabled the rules. Much better now as I run different rules just using the blocklist as needed
I tested and verified:
As soon as you have the bouncer turned off, the alias crowdsec(6)_blacklists are empty. As soon as you turn the bouncer on again, it's filled with the proper lists (I compared against my blocklist-mirror)