Closed azeemism closed 8 years ago
Looks like the culprit is pushing_inertia_blocklist.netset
The following work fine:
maxmind_proxy_fraud.ipset
myip.ipset
stopforumspam_toxic.netset
Looks like the culprit is pushing_inertia_blocklist.netset
firehol_webserver
is optimized to protect your servers. It blocks many IPs that should never need to access your services. So use it, only on your inbound traffic for your public ports.
Thanks for your replay. I have been trying to figure out how exactly to setup up firehol_webserver
to screen inbound traffic on public ports, but am failing at it so far. After looking at the documentation again to piece together possible near examples, I was certain that one of the following would work:
for x in firehol_webserver pushing_inertia_blocklist
#fullbogons bogons
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full log "BLACKLIST ${x^^}" ipset:${x} \
inface "${PUBLIC_DEVS}" src not "${UNROUTABLE_IPS} 1.2.3.4/29 " \
except src ipset:whitelist
done
or
for x in firehol_webserver pushing_inertia_blocklist
#fullbogons bogons
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full inface "${PUBLIC_DEVS}" dst "${PUBLIC_IPS}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
Either way I get an error (output below is using the first option):
root@svr1:/etc/firehol# firehol try
FireHOL: Saving active firewall to a temporary file... OK
FireHOL: Processing file '/etc/firehol/firehol.conf'... OK (1700 iptables rules)
Your firewall is ready to be fast-activated...
If you don't continue, no changes will have been made to your firewall.
Activate the firewall? (just press enter to confirm or Control-C to stop) :
FireHOL: Activating ipsets... OK
FireHOL: Fast activating new firewall...
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error CANNOT APPLY IN FAST MODE).
SOURCE : FIN
COMMAND : /sbin/iptables-restore \</var/run/firehol/firehol-fdZFIMPdWI/firehol-out.sh.fast
OUTPUT :
iptables-restore v1.4.21: host/network `not' not found
Error occurred at line: 326
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Offending line:
-A INPUT -i eth0 -s not -j BLACKLIST.bi.13.in
FAILED
To get a more detailed report of the offending command,
you can quickly re-apply the same firewall with fast
activation disabled, like this:
/usr/sbin/firehol nofast try
root@svr1:/etc/firehol# firehol nofast try
FireHOL: Saving active firewall to a temporary file... OK
FireHOL: Processing file '/etc/firehol/firehol.conf'... OK (1700 iptables rules)
FireHOL: Activating ipsets... OK
FireHOL: Activating new firewall (1700 rules)...
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth0 -s not -j BLACKLIST.bi.13.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth1 -s not -j BLACKLIST.bi.13.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth0 -s not -j BLACKLIST.bi.13.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth1 -s not -j BLACKLIST.bi.13.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth0 -d not -j BLACKLIST.bi.13.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth1 -d not -j BLACKLIST.bi.13.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth0 -d not -j BLACKLIST.bi.13.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth1 -d not -j BLACKLIST.bi.13.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth0 -s not -j BLACKLIST.bi.14.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A INPUT -i eth1 -s not -j BLACKLIST.bi.14.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth0 -s not -j BLACKLIST.bi.14.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -i eth1 -s not -j BLACKLIST.bi.14.in
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth0 -d not -j BLACKLIST.bi.14.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A FORWARD -o eth1 -d not -j BLACKLIST.bi.14.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth0 -d not -j BLACKLIST.bi.14.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
--------------------------------------------------------------------------------
ERROR : # 16.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : 116@/etc/firehol/firehol.conf: blacklist4:
COMMAND : /sbin/iptables -t filter -A OUTPUT -o eth1 -d not -j BLACKLIST.bi.14.out
OUTPUT :
iptables v1.4.21: host/network `not' not found
Try `iptables -h' or 'iptables --help' for more information.
FAILED
FireHOL: Restoring old firewall... OK
My configuration currently look as follows and I am raking my head trying to figure a simple solution.
# Public IPs
# space separated list i.e. "1.1.1.0/24 2.2.2.2 3.3.3.3"
PUBLIC_IPS="1.2.3.18 1.2.3.19 1.2.3.20 1.2.3.21"
# Public interfaces
PUBLIC_DEVS="eth0 eth1"
# Clear dmesg and kernel logs from internet noise (random packets) that firehol logs
# ulogd config file location: /etc/ulogd.conf
# NFLOG location: /var/log/ulog/syslogemu.log
# ULOG or NFLOG ignores FIREHOL_LOG_LEVEL - level at which events will be logged to syslog
FIREHOL_LOG_MODE=NFLOG
# ----------------------------------------------------
### whitelist
#
# https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY-and-traps
# https://firehol.org/firehol-manual/firehol-conf/ (VARIABLES: UNROUTABLE_IPS)
# https://github.com/firehol/blocklist-ipsets
#
ipset4 create whitelist hash:net
# not sure if UNROUTABLE_IPS should be added or if it is just for tarp or tarp with dynamic ips
# ipset4 add whitelist "${UNROUTABLE_IPS}"
ipset4 add whitelist 1.2.3.10 # DNS
ipset4 add whitelist 1.2.3.11 # DNS
ipset4 add whitelist 2.2.2.2 # Home
ipset4 add whitelist 3.3.3.3 # Store
# ----------------------------------------------------
# blocklist-ipsets blacklisting
#
# https://github.com/firehol/blocklist-ipsets
# https://github.com/firehol/blocklist-ipsets/issues/9
#
# subnets - netsets (inbound & outbound traffic on public ports)
# Issue: https://github.com/firehol/blocklist-ipsets/issues/9
#
for x in fullbogons bogons dshield spamhaus_drop spamhaus_edrop \
firehol_abusers_1d firehol_abusers_30d \
firehol_level1 firehol_level2 firehol_level3 \
firehol_level4 \
stopforumspam_toxic
#firehol_webserver pushing_inertia_blocklist
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full inface "${PUBLIC_DEVS}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
# ----------------------------------------------------
# Subnets - netsets (inbound traffic on public ports)
# ISSUE: https://github.com/firehol/blocklist-ipsets/issues/9
# NOTE: firehol_webserver is optimized to protect your servers. It blocks many
# IPs that should never need to access your services. So use it, only on your
# inbound traffic for your public ports.
#
for x in firehol_webserver pushing_inertia_blocklist
#fullbogons bogons
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full inface "${PUBLIC_DEVS}" dst "${PUBLIC_IPS}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
# ----------------------------------------------------
# Define Public Ports
#
# http://firehol.org/guides/firehol-welcome/
#
server_sshalt_ports="tcp/2222"
client_sshalt_ports="default"
# ----------------------------------------------------
# Grouped Public Services
#
# Web and Email Server Services
#
#
public_services="http https smtp smtps submission pop3 pop3s imap imaps"
admin_services="sshalt"
# ----------------------------------------------------
# IPv6 - Disable
#
# To add IPv6, read http://firehol.org/upgrade/#config-version-6
#
ipv6 interface "${PUBLIC_DEVS}" worldipv6
client all deny # deny and drop are synonyms, either can be used
server all deny
# ----------------------------------------------------
# NETWORK18
#
# INFO: Processing interface 'eth0'
# INFO: Processing IP 1.2.3.18 of interface 'eth0'
# INFO: Is 1.2.3.18 part of network 1.2.3.16/29? yes
#
# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 1.2.3.18 (net: "1.2.3.16/29 ").
# Remove 'dst 1.2.3.18' if this is dynamically assigned.
#
interface4 "${PUBLIC_DEVS}" NETWORK18 src "1.2.3.16/29 " dst 1.2.3.18
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject
# If you don't trust the clients behind eth0 eth1 (net "1.2.3.16/29 "),
# add something like this.
# protection strong
# Here are the services listening on eth0 eth1 .
server "${public_services}" accept
server ping accept
# The following means that this machine can REQUEST anything via eth0 eth1 .
#client all accept
client "${public_services}" accept
client "${admin_services}" accept
client ping accept
client ntp accept
# ----------------------------------------------------
# INTERNET18
#
# INFO: Is 1.2.3.17 part of network 1.2.3.16/29? yes
# INFO: Default gateway 1.2.3.17 is part of network 1.2.3.16/29
# Interface No 2.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 1.2.3.17 .
# Remove 'dst 1.2.3.18' if this is dynamically assigned.
#
interface4 "${PUBLIC_DEVS}" INTERNET18 src not "${UNROUTABLE_IPS} 1.2.3.16/29 " dst 1.2.3.18
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 eth1 (net not "${UNROUTABLE_IPS} 1.2.3.16/29 "),
#
# https://firehol.org/firehol-manual/firehol-protection/
#
# Turn on packet and flood protections (except all-floods)
# Overides individual protection settings (see subheading below)
# Best used for small traffic servers also with conrate, conlimit
# On busy web servers best to use use bad-packet, conlimit, conrate
#protection strong
# setup individual protections
# Drop fragments, new-tcp-w/o-syn, malformed-xmas, malformed-nul, malformed-bad
protection bad-packets
# Echo requets, (Default may be 90/sec 40)
# protection icmp-floods 90/sec 40
# TCP new connection limmit (Default may be 90/sec 40)
# protection syn-floods 90/sec 40
# Flood protection against ICMP echo requests, TCP connections, etc,
# Example used 100 request per sec with a bust of 50
# May causes web pages not to load completely
# As this covers all connections the setting must be very high.
# Not sure how hight to set this. Leave commented.
# protection all-floods 200/sec 100
# Limit all clients to 10 concurrect connections and 120 connections/minute
# Default may be conlimit 10, conrate 60/minute
protection connlimit 10
protection connrate upto 120/minute
# Here are the services listening on eth0 eth1 .
server "${public_services}" accept
# Block external servers from tying to ident back the client to find information about them
# Such servers would need to timeout before we accept their request
# If a router is used need to setup and internet2servers section with similar line for route ...
#
# http://firehol.org/tutorial/firehol-new-user/
#
server ident reject with tcp-reset
# The following means that this machine can REQUEST anything via eth0 eth1 .
#client all accept
client "${public_services}" accept
client "${admin_services}" accept
client ping accept
client ntp accept
Okay think I got it working. Now I understand what
If you are concerned about iptables performance, change the blacklist4 keyword full to input.
This will block only inbound NEW connections, i.e. only the first packet for every NEW inbound
connection will be checked. All other traffic passes through unchecked.
means after reading https://firehol.org/firehol-manual/firehol-blacklist/ . Perhaps there is a direct link from firehol.org but I didn't find it initially; however google was helpful in searching the site.
Simply using the following looks like it works:
for x in firehol_webserver pushing_inertia_blocklist
##fullbogons bogons
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 input inface "${PUBLIC_DEVS}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
I guess in some way I wanted to create a _stateless_ unidirectional connection using firehol_webserver
to screen inbound traffic on my public ports. Is such a thing possible?
Thanks for all you efforts and wiki's, FireHOL is a great program!
...Just setup SYNPROXY, now it's time to setup tarps. _Only thing that seems confusing is whether ipset4 add whitelist "${UNROUTABLE_IPS}"
should always be added to the whitelist even when not using tarps?_
I find the variable confusing to wrap my head around after reading it's description https://firehol.org/firehol-manual/firehol-conf/#VARIABLES-AVAILABLE
I see it in the example for static IP implementation https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY-and-traps#Implementation , so I will follow the guidance and add it to my whitelist.
Issue:
firehol.conf
relevant settings:/etc/apt/sources.list.d/nodesource.list
When
firehol_webserver
is removedapt-get update
works correctly as follows: