search

firehol / blocklist-ipsets

ipsets dynamically updated with firehol's update-ipsets.sh script
https://iplists.firehol.org
3.17k stars 383 forks source link

firehol_webserver.netset blocks nodejs for updating on Debian 8 #9

Closed azeemism closed 8 years ago

azeemism commented 8 years ago

Issue:

Hit http://security.debian.org jessie/updates InRelease
Ign http://ftp.us.debian.org jessie InRelease
Hit http://ftp.us.debian.org jessie-updates InRelease
Hit http://security.debian.org stretch/updates InRelease
Hit http://packages.dotdeb.org jessie InRelease
Hit http://dl.hhvm.com jessie InRelease
Hit http://mariadb.mirror.rafal.ca jessie InRelease
Hit http://apt.postgresql.org jessie-pgdg InRelease
Hit http://ftp.us.debian.org jessie-backports InRelease
Hit http://security.debian.org jessie/updates/main Sources
Hit http://ftp.us.debian.org stretch InRelease
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/contrib Sources
Hit http://security.debian.org jessie/updates/non-free Sources
Hit http://ftp.us.debian.org jessie-updates/main Sources
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/contrib amd64 Packages
Hit http://ftp.us.debian.org jessie-updates/contrib Sources
Hit http://security.debian.org jessie/updates/non-free amd64 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie-updates/non-free Sources
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://dl.hhvm.com jessie/main amd64 Packages
Hit http://security.debian.org stretch/updates/main Sources
Get:1 http://ftp.us.debian.org jessie-updates/main amd64 Packages/DiffIndex [3,472 B]
Hit http://security.debian.org stretch/updates/contrib Sources
Hit http://mariadb.mirror.rafal.ca jessie/main Sources
Hit http://security.debian.org stretch/updates/non-free Sources
Hit http://packages.dotdeb.org jessie/all Sources
Hit http://mariadb.mirror.rafal.ca jessie/main amd64 Packages
Ign https://deb.nodesource.com jessie InRelease
Hit http://security.debian.org stretch/updates/main amd64 Packages
Hit http://ftp.us.debian.org jessie-updates/contrib amd64 Packages
Hit http://security.debian.org stretch/updates/contrib amd64 Packages
Hit http://mariadb.mirror.rafal.ca jessie/main i386 Packages
Hit http://security.debian.org stretch/updates/non-free amd64 Packages
Get:2 http://ftp.us.debian.org jessie-updates/non-free amd64 Packages/DiffIndex [736 B]
Hit http://packages.dotdeb.org jessie/all amd64 Packages
Hit http://security.debian.org stretch/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie-updates/contrib Translation-en
Hit http://security.debian.org stretch/updates/main Translation-en
Hit http://apt.postgresql.org jessie-pgdg/main amd64 Packages
Hit http://security.debian.org stretch/updates/non-free Translation-en
Get:3 http://ftp.us.debian.org jessie-updates/main Translation-en/DiffIndex [1,720 B]
Get:4 http://ftp.us.debian.org jessie-updates/non-free Translation-en/DiffIndex [736 B]
Hit http://ftp.us.debian.org jessie Release
Ign http://dl.hhvm.com jessie/main Translation-en_US
Ign http://dl.hhvm.com jessie/main Translation-en
Get:5 http://ftp.us.debian.org jessie-backports/main Sources/DiffIndex [27.8 kB]
Get:6 http://ftp.us.debian.org jessie-backports/contrib Sources/DiffIndex [13.3 kB]
Ign http://mariadb.mirror.rafal.ca jessie/main Translation-en_US
Ign http://mariadb.mirror.rafal.ca jessie/main Translation-en
Get:7 http://ftp.us.debian.org jessie-backports/non-free Sources/DiffIndex [6,760 B]
Get:8 http://ftp.us.debian.org jessie-backports/main amd64 Packages/DiffIndex [27.8 kB]
Ign https://deb.nodesource.com jessie Release.gpg
Get:9 http://ftp.us.debian.org jessie-backports/contrib amd64 Packages/DiffIndex [8,512 B]
Get:10 http://ftp.us.debian.org jessie-backports/non-free amd64 Packages/DiffIndex [6,622 B]
Ign http://packages.dotdeb.org jessie/all Translation-en_US
Ign http://packages.dotdeb.org jessie/all Translation-en
Get:11 http://ftp.us.debian.org jessie-backports/contrib Translation-en/DiffIndex [3,532 B]
Get:12 http://ftp.us.debian.org jessie-backports/main Translation-en/DiffIndex [27.8 kB]
Get:13 http://ftp.us.debian.org jessie-backports/non-free Translation-en/DiffIndex [6,346 B]
Get:14 http://ftp.us.debian.org stretch/main Sources/DiffIndex [27.9 kB]
Get:15 http://ftp.us.debian.org stretch/non-free Sources/DiffIndex [27.8 kB]
Get:16 http://ftp.us.debian.org stretch/contrib Sources/DiffIndex [27.8 kB]
Get:17 http://ftp.us.debian.org stretch/main amd64 Packages/DiffIndex [27.9 kB]
Get:18 http://ftp.us.debian.org stretch/non-free amd64 Packages/DiffIndex [27.8 kB]
Get:19 http://ftp.us.debian.org stretch/contrib amd64 Packages/DiffIndex [27.8 kB]
Ign https://deb.nodesource.com jessie Release
Get:20 http://ftp.us.debian.org stretch/contrib Translation-en/DiffIndex [23.9 kB]
Get:21 http://ftp.us.debian.org stretch/main Translation-en/DiffIndex [27.9 kB]
Get:22 http://ftp.us.debian.org stretch/non-free Translation-en/DiffIndex [27.8 kB]
Hit http://ftp.us.debian.org jessie/main Sources
Hit http://ftp.us.debian.org jessie/non-free Sources
Hit http://ftp.us.debian.org jessie/contrib Sources
Hit http://ftp.us.debian.org jessie/main amd64 Packages
Hit http://ftp.us.debian.org jessie/non-free amd64 Packages
Hit http://ftp.us.debian.org jessie/contrib amd64 Packages
Hit http://ftp.us.debian.org jessie/contrib Translation-en
Ign http://apt.postgresql.org jessie-pgdg/main Translation-en_US
Ign http://apt.postgresql.org jessie-pgdg/main Translation-en
Hit http://ftp.us.debian.org jessie/main Translation-en
Hit http://ftp.us.debian.org jessie/non-free Translation-en
Ign https://deb.nodesource.com jessie/main Sources/DiffIndex
Ign https://deb.nodesource.com jessie/main amd64 Packages/DiffIndex
Ign https://deb.nodesource.com jessie/main Translation-en_US
Ign https://deb.nodesource.com jessie/main Translation-en
Err https://deb.nodesource.com jessie/main Sources
  Failed to connect to deb.nodesource.com port 443: No route to host
Err https://deb.nodesource.com jessie/main amd64 Packages
  Failed to connect to deb.nodesource.com port 443: No route to host
Fetched 382 kB in 26s (14.6 kB/s)
W: Failed to fetch https://deb.nodesource.com/node_0.12/dists/jessie/main/source/Sources  Failed to connect to deb.nodesource.com port 443: No route to host

W: Failed to fetch https://deb.nodesource.com/node_0.12/dists/jessie/main/binary-amd64/Packages  Failed to connect to deb.nodesource.com port 443: No route to host

E: Some index files failed to download. They have been ignored, or old ones used instead.

firehol.conf relevant settings:

    # subnets - netsets
    for x in fullbogons bogons dshield spamhaus_drop spamhaus_edrop \
        firehol_abusers_1d firehol_abusers_30d \
        firehol_level1 firehol_level2 firehol_level3 \
        firehol_level4 \
        firehol_webserver
    do
        ipset4 create  ${x} hash:net
        ipset4 addfile ${x} ipsets/${x}.netset
        blacklist4 full inface "${world}" log "BLACKLIST ${x^^}" ipset:${x} \
            except src ipset:whitelist
    done

/etc/apt/sources.list.d/nodesource.list

deb https://deb.nodesource.com/node_0.12 jessie main
deb-src https://deb.nodesource.com/node_0.12 jessie main

When firehol_webserver is removed apt-get update works correctly as follows:

Hit http://mariadb.mirror.rafal.ca jessie InRelease
Ign http://ftp.us.debian.org jessie InRelease
Hit http://ftp.us.debian.org jessie-updates InRelease
Hit http://packages.dotdeb.org jessie InRelease
Hit http://dl.hhvm.com jessie InRelease
Hit http://security.debian.org jessie/updates InRelease
Hit http://ftp.us.debian.org jessie-backports InRelease
Hit http://apt.postgresql.org jessie-pgdg InRelease
Hit https://deb.nodesource.com jessie InRelease
Hit http://security.debian.org stretch/updates InRelease
Hit http://ftp.us.debian.org stretch InRelease
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://ftp.us.debian.org jessie-updates/contrib Sources
Hit http://mariadb.mirror.rafal.ca jessie/main Sources
Hit http://mariadb.mirror.rafal.ca jessie/main amd64 Packages
Hit http://mariadb.mirror.rafal.ca jessie/main i386 Packages
Get:1 http://ftp.us.debian.org jessie-updates/main amd64 Packages/DiffIndex [3,472 B]
Hit http://dl.hhvm.com jessie/main amd64 Packages
Hit http://security.debian.org jessie/updates/non-free Sources
Hit https://deb.nodesource.com jessie/main Sources
Hit https://deb.nodesource.com jessie/main amd64 Packages
Hit http://ftp.us.debian.org jessie-updates/contrib amd64 Packages
Get:2 https://deb.nodesource.com jessie/main Translation-en_US [162 B]
Get:3 https://deb.nodesource.com jessie/main Translation-en [162 B]
Get:4 http://ftp.us.debian.org jessie-updates/non-free amd64 Packages/DiffIndex [736 B]
Get:5 https://deb.nodesource.com jessie/main Translation-en_US [162 B]
Hit http://security.debian.org jessie/updates/non-free amd64 Packages
Get:6 https://deb.nodesource.com jessie/main Translation-en [162 B]
Hit http://packages.dotdeb.org jessie/all Sources
Get:7 https://deb.nodesource.com jessie/main Translation-en_US [162 B]
Hit http://ftp.us.debian.org jessie-updates/contrib Translation-en
Get:8 https://deb.nodesource.com jessie/main Translation-en [162 B]
Hit http://apt.postgresql.org jessie-pgdg/main amd64 Packages
Get:9 https://deb.nodesource.com jessie/main Translation-en_US [162 B]
Get:10 https://deb.nodesource.com jessie/main Translation-en [162 B]
Get:11 http://ftp.us.debian.org jessie-updates/main Translation-en/DiffIndex [1,720 B]
Hit http://packages.dotdeb.org jessie/all amd64 Packages
Get:12 https://deb.nodesource.com jessie/main Translation-en_US [162 B]
Ign https://deb.nodesource.com jessie/main Translation-en_US
Get:13 https://deb.nodesource.com jessie/main Translation-en [162 B]
Ign https://deb.nodesource.com jessie/main Translation-en
Hit http://security.debian.org jessie/updates/non-free Translation-en
Ign http://dl.hhvm.com jessie/main Translation-en_US
Get:14 http://ftp.us.debian.org jessie-updates/non-free Translation-en/DiffIndex [736 B]
Ign http://mariadb.mirror.rafal.ca jessie/main Translation-en_US
Hit http://security.debian.org jessie/updates/main Sources
Ign http://dl.hhvm.com jessie/main Translation-en
Hit http://ftp.us.debian.org jessie Release
Ign http://mariadb.mirror.rafal.ca jessie/main Translation-en
Hit http://security.debian.org jessie/updates/contrib Sources
Hit http://ftp.us.debian.org jessie-updates/main Sources
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://ftp.us.debian.org jessie-updates/non-free Sources
Hit http://security.debian.org stretch/updates/main Sources
Get:15 http://ftp.us.debian.org jessie-backports/main Sources/DiffIndex [27.8 kB]
Hit http://security.debian.org stretch/updates/contrib Sources
Ign http://apt.postgresql.org jessie-pgdg/main Translation-en_US
Hit http://security.debian.org stretch/updates/non-free Sources
Ign http://apt.postgresql.org jessie-pgdg/main Translation-en
Hit http://security.debian.org stretch/updates/main amd64 Packages
Get:16 http://ftp.us.debian.org jessie-backports/contrib Sources/DiffIndex [13.3 kB]
Hit http://security.debian.org stretch/updates/contrib amd64 Packages
Hit http://security.debian.org stretch/updates/non-free amd64 Packages
Hit http://security.debian.org stretch/updates/contrib Translation-en
Ign http://packages.dotdeb.org jessie/all Translation-en_US
Get:17 http://ftp.us.debian.org jessie-backports/non-free Sources/DiffIndex [6,760 B]
Hit http://security.debian.org stretch/updates/main Translation-en
Get:18 http://ftp.us.debian.org jessie-backports/main amd64 Packages/DiffIndex [27.8 kB]
Hit http://security.debian.org stretch/updates/non-free Translation-en
Ign http://packages.dotdeb.org jessie/all Translation-en
Hit http://security.debian.org jessie/updates/contrib amd64 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Get:19 http://ftp.us.debian.org jessie-backports/contrib amd64 Packages/DiffIndex [8,512 B]
Hit http://security.debian.org jessie/updates/main Translation-en
Get:20 http://ftp.us.debian.org jessie-backports/non-free amd64 Packages/DiffIndex [6,622 B]
Get:21 http://ftp.us.debian.org jessie-backports/contrib Translation-en/DiffIndex [3,532 B]
Get:22 http://ftp.us.debian.org jessie-backports/main Translation-en/DiffIndex [27.8 kB]
Get:23 http://ftp.us.debian.org jessie-backports/non-free Translation-en/DiffIndex [6,346 B]
Get:24 http://ftp.us.debian.org stretch/main Sources/DiffIndex [27.9 kB]
Get:25 http://ftp.us.debian.org stretch/non-free Sources/DiffIndex [27.8 kB]
Get:26 http://ftp.us.debian.org stretch/contrib Sources/DiffIndex [27.8 kB]
Get:27 http://ftp.us.debian.org stretch/main amd64 Packages/DiffIndex [27.9 kB]
Get:28 http://ftp.us.debian.org stretch/non-free amd64 Packages/DiffIndex [27.8 kB]
Get:29 http://ftp.us.debian.org stretch/contrib amd64 Packages/DiffIndex [27.8 kB]
Get:30 http://ftp.us.debian.org stretch/contrib Translation-en/DiffIndex [23.9 kB]
Get:31 http://ftp.us.debian.org stretch/main Translation-en/DiffIndex [27.9 kB]
Get:32 http://ftp.us.debian.org stretch/non-free Translation-en/DiffIndex [27.8 kB]
Hit http://ftp.us.debian.org jessie/main Sources
Hit http://ftp.us.debian.org jessie/non-free Sources
Hit http://ftp.us.debian.org jessie/contrib Sources
Hit http://ftp.us.debian.org jessie/main amd64 Packages
Hit http://ftp.us.debian.org jessie/non-free amd64 Packages
Hit http://ftp.us.debian.org jessie/contrib amd64 Packages
Hit http://ftp.us.debian.org jessie/contrib Translation-en
Hit http://ftp.us.debian.org jessie/main Translation-en
Hit http://ftp.us.debian.org jessie/non-free Translation-en
Fetched 382 kB in 7s (49.0 kB/s)
Reading package lists... Done
azeemism commented 8 years ago

Looks like the culprit is pushing_inertia_blocklist.netset

The following work fine:

maxmind_proxy_fraud.ipset
myip.ipset 
stopforumspam_toxic.netset
ktsaou commented 8 years ago

Looks like the culprit is pushing_inertia_blocklist.netset

firehol_webserver is optimized to protect your servers. It blocks many IPs that should never need to access your services. So use it, only on your inbound traffic for your public ports.

azeemism commented 8 years ago

Thanks for your replay. I have been trying to figure out how exactly to setup up firehol_webserver to screen inbound traffic on public ports, but am failing at it so far. After looking at the documentation again to piece together possible near examples, I was certain that one of the following would work:

for x in firehol_webserver pushing_inertia_blocklist
    #fullbogons bogons
do
    ipset4 create  ${x} hash:net
    ipset4 addfile ${x} ipsets/${x}.netset
    blacklist4 full log "BLACKLIST ${x^^}" ipset:${x} \
        inface "${PUBLIC_DEVS}" src not "${UNROUTABLE_IPS} 1.2.3.4/29 " \
        except src ipset:whitelist
done

or

for x in firehol_webserver pushing_inertia_blocklist
    #fullbogons bogons
do
    ipset4 create  ${x} hash:net
    ipset4 addfile ${x} ipsets/${x}.netset
    blacklist4 full inface "${PUBLIC_DEVS}" dst "${PUBLIC_IPS}" log "BLACKLIST ${x^^}" ipset:${x} \
        except src ipset:whitelist
done

Either way I get an error (output below is using the first option):

root@svr1:/etc/firehol# firehol try
FireHOL: Saving active firewall to a temporary file...  OK
FireHOL: Processing file '/etc/firehol/firehol.conf'...  OK  (1700 iptables rules)

Your firewall is ready to be fast-activated...
If you don't continue, no changes will have been made to your firewall.
Activate the firewall? (just press enter to confirm or Control-C to stop) :

FireHOL: Activating ipsets...  OK
FireHOL: Fast activating new firewall...

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error CANNOT APPLY IN FAST MODE).
SOURCE  : FIN
COMMAND : /sbin/iptables-restore \</var/run/firehol/firehol-fdZFIMPdWI/firehol-out.sh.fast
OUTPUT  :

iptables-restore v1.4.21: host/network `not' not found
Error occurred at line: 326
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Offending line:
-A INPUT -i eth0 -s not -j BLACKLIST.bi.13.in

 FAILED

To get a more detailed report of the offending command,
you can quickly re-apply the same firewall with fast
activation disabled, like this:

/usr/sbin/firehol nofast try
root@svr1:/etc/firehol# firehol nofast try
FireHOL: Saving active firewall to a temporary file...  OK
FireHOL: Processing file '/etc/firehol/firehol.conf'...  OK  (1700 iptables rules)
FireHOL: Activating ipsets...  OK
FireHOL: Activating new firewall (1700 rules)...

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth0 -s not -j BLACKLIST.bi.13.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 2.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth1 -s not -j BLACKLIST.bi.13.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 3.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth0 -s not -j BLACKLIST.bi.13.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 4.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth1 -s not -j BLACKLIST.bi.13.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 5.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth0 -d not -j BLACKLIST.bi.13.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 6.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth1 -d not -j BLACKLIST.bi.13.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 7.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth0 -d not -j BLACKLIST.bi.13.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 8.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth1 -d not -j BLACKLIST.bi.13.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 9.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth0 -s not -j BLACKLIST.bi.14.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 10.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth1 -s not -j BLACKLIST.bi.14.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 11.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth0 -s not -j BLACKLIST.bi.14.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 12.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth1 -s not -j BLACKLIST.bi.14.in
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 13.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth0 -d not -j BLACKLIST.bi.14.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 14.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth1 -d not -j BLACKLIST.bi.14.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 15.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth0 -d not -j BLACKLIST.bi.14.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

--------------------------------------------------------------------------------
ERROR   : # 16.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth1 -d not -j BLACKLIST.bi.14.out
OUTPUT  :

iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.

 FAILED

FireHOL: Restoring old firewall...  OK

My configuration currently look as follows and I am raking my head trying to figure a simple solution.

# Public IPs
# space separated list i.e. "1.1.1.0/24 2.2.2.2 3.3.3.3"
PUBLIC_IPS="1.2.3.18 1.2.3.19 1.2.3.20 1.2.3.21"

# Public interfaces
PUBLIC_DEVS="eth0 eth1"

# Clear dmesg and kernel logs from internet noise (random packets) that firehol logs
# ulogd config file location: /etc/ulogd.conf
# NFLOG location: /var/log/ulog/syslogemu.log
# ULOG or NFLOG ignores FIREHOL_LOG_LEVEL - level at which events will be logged to syslog
FIREHOL_LOG_MODE=NFLOG

# ----------------------------------------------------
### whitelist
#
# https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY-and-traps
# https://firehol.org/firehol-manual/firehol-conf/  (VARIABLES: UNROUTABLE_IPS)
# https://github.com/firehol/blocklist-ipsets
#
ipset4 create whitelist hash:net
# not sure if UNROUTABLE_IPS should be added or if it is just for tarp or tarp with dynamic ips
# ipset4 add whitelist "${UNROUTABLE_IPS}"
ipset4 add whitelist 1.2.3.10  # DNS
ipset4 add whitelist 1.2.3.11  # DNS
ipset4 add whitelist 2.2.2.2  # Home
ipset4 add whitelist 3.3.3.3  # Store

# ----------------------------------------------------
# blocklist-ipsets blacklisting
#
# https://github.com/firehol/blocklist-ipsets
# https://github.com/firehol/blocklist-ipsets/issues/9
#
# subnets - netsets  (inbound & outbound traffic on public ports)
# Issue: https://github.com/firehol/blocklist-ipsets/issues/9
#
for x in fullbogons bogons dshield spamhaus_drop spamhaus_edrop \
    firehol_abusers_1d firehol_abusers_30d \
    firehol_level1 firehol_level2 firehol_level3 \
    firehol_level4 \
    stopforumspam_toxic
    #firehol_webserver pushing_inertia_blocklist
do
    ipset4 create  ${x} hash:net
    ipset4 addfile ${x} ipsets/${x}.netset
    blacklist4 full inface "${PUBLIC_DEVS}" log "BLACKLIST ${x^^}" ipset:${x} \
        except src ipset:whitelist
done

# ----------------------------------------------------
# Subnets - netsets (inbound traffic on public ports)
# ISSUE: https://github.com/firehol/blocklist-ipsets/issues/9
# NOTE: firehol_webserver is optimized to protect your servers. It blocks many
# IPs that should never need to access your services. So use it, only on your
# inbound traffic for your public ports. 
#
for x in firehol_webserver pushing_inertia_blocklist
    #fullbogons bogons
do
    ipset4 create  ${x} hash:net
    ipset4 addfile ${x} ipsets/${x}.netset
    blacklist4 full inface "${PUBLIC_DEVS}" dst "${PUBLIC_IPS}" log "BLACKLIST ${x^^}" ipset:${x} \
        except src ipset:whitelist
done

# ----------------------------------------------------
# Define Public Ports
#
# http://firehol.org/guides/firehol-welcome/
#
server_sshalt_ports="tcp/2222"
client_sshalt_ports="default"

# ----------------------------------------------------
# Grouped Public Services
#
# Web and Email Server Services
#
#
public_services="http https smtp smtps submission pop3 pop3s imap imaps"

admin_services="sshalt"

# ----------------------------------------------------
# IPv6 - Disable
#
# To add IPv6, read http://firehol.org/upgrade/#config-version-6
#
ipv6 interface "${PUBLIC_DEVS}" worldipv6
    client all deny  # deny and drop are synonyms, either can be used
    server all deny

# ----------------------------------------------------
# NETWORK18
#
# INFO: Processing interface 'eth0'
# INFO: Processing IP 1.2.3.18 of interface 'eth0'
# INFO: Is 1.2.3.18 part of network 1.2.3.16/29? yes
#
# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 1.2.3.18 (net: "1.2.3.16/29 ").
#       Remove 'dst 1.2.3.18' if this is dynamically assigned.
#
interface4 "${PUBLIC_DEVS}" NETWORK18 src "1.2.3.16/29 " dst 1.2.3.18

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy reject

    # If you don't trust the clients behind eth0 eth1 (net "1.2.3.16/29 "),
    # add something like this.
    # protection strong

    # Here are the services listening on eth0 eth1 .
    server "${public_services}" accept
    server ping accept

    # The following means that this machine can REQUEST anything via eth0 eth1 .
    #client all accept
    client "${public_services}" accept
    client "${admin_services}" accept
    client ping accept
    client ntp accept

# ----------------------------------------------------
# INTERNET18
#
# INFO: Is 1.2.3.17  part of network 1.2.3.16/29? yes
# INFO: Default gateway 1.2.3.17  is part of network 1.2.3.16/29

# Interface No 2.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 1.2.3.17 .
#       Remove 'dst 1.2.3.18' if this is dynamically assigned.
#
interface4 "${PUBLIC_DEVS}" INTERNET18 src not "${UNROUTABLE_IPS} 1.2.3.16/29 " dst 1.2.3.18

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy drop

    # If you don't trust the clients behind eth0 eth1 (net not "${UNROUTABLE_IPS} 1.2.3.16/29 "),
    #
    # https://firehol.org/firehol-manual/firehol-protection/
    #
    # Turn on packet and flood protections (except all-floods) 
    # Overides individual protection settings (see subheading below)
    # Best used for small traffic servers also with conrate, conlimit
    # On busy web servers best to use use bad-packet, conlimit, conrate
    #protection strong

        # setup individual protections

        # Drop fragments, new-tcp-w/o-syn, malformed-xmas, malformed-nul, malformed-bad
        protection bad-packets

        # Echo requets, (Default may be 90/sec 40)
        # protection icmp-floods 90/sec 40

        # TCP new connection limmit (Default may be 90/sec 40)
        # protection syn-floods 90/sec 40

    # Flood protection against ICMP echo requests, TCP connections, etc,
    # Example used 100 request per sec with a bust of 50
    # May causes web pages not to load completely
    # As this covers all connections the setting must be very high.
    # Not sure how hight to set this. Leave commented.
    # protection all-floods 200/sec 100

    # Limit all clients to 10 concurrect connections and 120 connections/minute 
    # Default may be conlimit 10, conrate 60/minute
    protection connlimit 10
    protection connrate upto 120/minute

    # Here are the services listening on eth0 eth1 .
    server "${public_services}" accept

    # Block external servers from tying to ident back the client to find information about them
    # Such servers would need to timeout before we accept their request
    # If a router is used need to setup and internet2servers section with similar line for route ...
    #
    # http://firehol.org/tutorial/firehol-new-user/
    #
    server ident reject with tcp-reset

    # The following means that this machine can REQUEST anything via eth0 eth1 .
    #client all accept
    client "${public_services}" accept
    client "${admin_services}" accept
    client ping accept
    client ntp accept
azeemism commented 8 years ago

Okay think I got it working. Now I understand what 

If you are concerned about iptables performance, change the blacklist4 keyword full to input. 
This will block only inbound NEW connections, i.e. only the first packet for every NEW inbound
connection will be checked. All other traffic passes through unchecked.

means after reading https://firehol.org/firehol-manual/firehol-blacklist/ . Perhaps there is a direct link from firehol.org but I didn't find it initially; however google was helpful in searching the site.

Simply using the following looks like it works:

for x in firehol_webserver pushing_inertia_blocklist
    ##fullbogons bogons
do
    ipset4 create  ${x} hash:net
    ipset4 addfile ${x} ipsets/${x}.netset
    blacklist4 input inface "${PUBLIC_DEVS}" log "BLACKLIST ${x^^}" ipset:${x} \
        except src ipset:whitelist
done

I guess in some way I wanted to create a _stateless_ unidirectional connection using firehol_webserver to screen inbound traffic on my public ports. Is such a thing possible?

Thanks for all you efforts and wiki's, FireHOL is a great program!

...Just setup SYNPROXY, now it's time to setup tarps. _Only thing that seems confusing is whether ipset4 add whitelist "${UNROUTABLE_IPS}" should always be added to the whitelist even when not using tarps?_

I find the variable confusing to wrap my head around after reading it's description https://firehol.org/firehol-manual/firehol-conf/#VARIABLES-AVAILABLE

I see it in the example for static IP implementation https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY-and-traps#Implementation , so I will follow the guidance and add it to my whitelist.