3 files changed, 274 insertions, 136 deletions
diff --git a/contrib/blocklist/libexec/Makefile b/contrib/blocklist/libexec/Makefile
index 6537080bf465..619d962c23b2 100644
--- a/contrib/blocklist/libexec/Makefile
+++ b/contrib/blocklist/libexec/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $
 
-SCRIPTS=        blacklistd-helper
+SCRIPTS=        blocklistd-helper
 SCRIPTSDIR=     /libexec
 
 .include <bsd.prog.mk>
diff --git a/contrib/blocklist/libexec/blacklistd-helper b/contrib/blocklist/libexec/blacklistd-helper
deleted file mode 100644
index f92eab8b29bd..000000000000
--- a/contrib/blocklist/libexec/blacklistd-helper
+++ /dev/null
@@ -1,134 +0,0 @@
-#!/bin/sh
-#echo "run $@" 1>&2
-#set -x
-# $1 command
-# $2 rulename
-# $3 protocol
-# $4 address
-# $5 mask
-# $6 port
-# $7 id
-
-pf=
-if [ -f "/etc/ipfw-blacklist.rc" ]; then
-	pf="ipfw"
-	. /etc/ipfw-blacklist.rc
-	ipfw_offset=${ipfw_offset:-2000}
-fi
-
-if [ -z "$pf" ]; then
-	for f in npf pf ipf; do
-		if [ -f "/etc/$f.conf" ]; then
-			pf="$f"
-			break
-		fi
-	done
-fi
-
-if [ -z "$pf" ]; then
-	echo "$0: Unsupported packet filter" 1>&2
-	exit 1
-fi
-
-if [ -n "$3" ]; then
-	proto="proto $3"
-fi
-
-if [ -n "$6" ]; then
-	port="port $6"
-fi
-
-addr="$4"
-mask="$5"
-case "$4" in
-::ffff:*.*.*.*)
-	if [ "$5" = 128 ]; then
-		mask=32
-		addr=${4#::ffff:}
-	fi;;
-esac
-
-case "$1" in
-add)
-	case "$pf" in
-	ipf)
-		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
-		echo block in quick $proto from $addr/$mask to \
-		    any port=$6 head port$6 | \
-		    /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
-		;;
-	ipfw)
-		# use $ipfw_offset+$port for rule number
-		rule=$(($ipfw_offset + $6))
-		tname="port$6"
-		/sbin/ipfw table $tname create type addr 2>/dev/null
-		/sbin/ipfw -q table $tname add "$addr/$mask"
-		# if rule number $rule does not already exist, create it
-		/sbin/ipfw show $rule >/dev/null 2>&1 || \
-			/sbin/ipfw add $rule drop $3 from \
-			table"("$tname")" to any dst-port $6 >/dev/null && \
-			echo OK
-		;;
-	npf)
-		/sbin/npfctl rule "$2" add block in final $proto from \
-		    "$addr/$mask" to any $port
-		;;
-	pf)
-		# if the filtering rule does not exist, create it
-		/sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
-		    grep -q "<port$6>" || \
-		    echo "block in quick $proto from <port$6> to any $port" | \
-		    /sbin/pfctl -a "$2/$6" -f -
-		# insert $ip/$mask into per-protocol/port anchored table
-		/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
-		    /sbin/pfctl -qk "$addr" && echo OK
-		;;
-	esac
-	;;
-rem)
-	case "$pf" in
-	ipf)
-		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
-		echo block in quick $proto from $addr/$mask to \
-		    any port=$6 head port$6 | \
-		    /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
-		;;
-	ipfw)
-		/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
-		    echo OK
-		;;
-	npf)
-		/sbin/npfctl rule "$2" rem-id "$7"
-		;;
-	pf)
-		/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
-		    echo OK
-		;;
-	esac
-	;;
-flush)
-	case "$pf" in
-	ipf)
-		/sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
-		;;
-	ipfw)
-		/sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
-		;;
-	npf)
-		/sbin/npfctl rule "$2" flush
-		;;
-	pf)
-		# dynamically determine which anchors exist
-		for anchor in $(/sbin/pfctl -a "$2" -s Anchors); do
-			/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
-			/sbin/pfctl -a $anchor -F rules
-		done
-		echo OK
-		;;
-	esac
-	;;
-*)
-	echo "$0: Unknown command '$1'" 1>&2
-	exit 1
-	;;
-esac
diff --git a/contrib/blocklist/libexec/blocklistd-helper b/contrib/blocklist/libexec/blocklistd-helper
new file mode 100755
index 000000000000..f27cde4ed4ea
--- /dev/null
+++ b/contrib/blocklist/libexec/blocklistd-helper
@@ -0,0 +1,272 @@
+#!/bin/sh
+#echo "run $@" 1>&2
+#set -x
+# $1 command
+# $2 rulename
+# $3 protocol
+# $4 address
+# $5 mask
+# $6 port
+# $7 id
+
+pf=
+if [ -f "/etc/ipfw-blocklist.rc" ]; then
+	pf="ipfw"
+	. /etc/ipfw-blocklist.rc
+	ipfw_offset=${ipfw_offset:-2000}
+fi
+
+if [ -z "$pf" ]; then
+	for f in npf pf ipfilter ipfw; do
+		if [ -x /etc/rc.d/$f ]; then
+			if /etc/rc.d/$f status >/dev/null 2>&1; then
+				pf="$f"
+				break
+			fi
+		elif [ -f "/etc/$f.conf" ]; then
+			# xxx assume a config file means it can be enabled --
+			# and the first one wins!
+			pf="$f"
+			break
+		fi
+	done
+fi
+
+if [ -z "$pf" -a -x "/sbin/iptables" ]; then
+	pf="iptables"
+fi
+
+if [ -z "$pf" ]; then
+	echo "$0: Unsupported packet filter" 1>&2
+	exit 1
+fi
+
+flags=
+if [ -n "$3" ]; then
+	raw_proto="$3"
+	proto="proto $3"
+	if [ $3 = "tcp" ]; then
+		flags="flags S/SAFR"
+	fi
+fi
+
+if [ -n "$6" ]; then
+	raw_port="$6"
+	port="port $6"
+fi
+
+addr="$4"
+mask="$5"
+case "$4" in
+::ffff:*.*.*.*)
+	if [ "$5" = 128 ]; then
+		mask=32
+		addr=${4#::ffff:}
+	fi;;
+esac
+
+case "$1" in
+add)
+	case "$pf" in
+	ipfilter)
+		# N.B.:  If you reload /etc/ipf.conf then you need to stop and
+		# restart blocklistd (and make sure blocklistd_flags="-r").
+		# This should normally already be implemented in
+		# /etc/rc.d/ipfilter, but if then not add the following lines to
+		# the end of the ipfilter_reload() function:
+		#
+		#	if checkyesnox blocklistd; then
+		#		/etc/rc.d/blocklistd restart
+		#	fi
+		#
+		# XXX we assume the following rule is present in /etc/ipf.conf:
+		# (should we check? -- it probably cannot be added dynamically)
+		#
+		#	block in proto tcp/udp from any to any head blocklistd
+		#
+		# where "blocklistd" is the default rulename (i.e. "$2")
+		#
+		# This rule can come before any rule that logs connections,
+		# etc., and should be followed by final rules such as:
+		#
+		#	# log all as-yet unblocked incoming TCP connection
+		#	# attempts
+		#	log in proto tcp from any to any flags S/SAFR
+		#	# last "pass" match wins for all non-blocked packets
+		#	pass in all
+		#	pass out all
+		#
+		# I.e. a "pass" rule which will be the final match and override
+		# the "block".  This way the rules added by blocklistd will
+		# actually block packets, and prevent logging of them as
+		# connections, because they include the "quick" flag.
+		#
+		# N.b.:  $port is not included/used in rules -- abusers are cut
+		# off completely from all services!
+		#
+		# Note RST packets are not returned for blocked SYN packets of
+		# active attacks, so the port will not appear to be closed.
+		# This will probably give away the fact that a firewall has been
+		# triggered to block connections, but it prevents generating
+		# extra outbound traffic, and it may also slow down the attacker
+		# somewhat.
+		#
+		# Note also that we don't block all packets, just new attempts
+		# to open connections (see $flags above).  This allows us to do
+		# counterespionage against the attacker (or continue to make use
+		# of any other services that might be on the same subnet as the
+		# supposed attacker).  However it does not kill any active
+		# connections -- we rely on the reporting daemon to do its own
+		# protection and cleanup.
+		#
+		# N.B.:  The rule generated here must exactly match the
+		# corresponding rule generated for the "rem" command below!
+		#
+		echo block in log quick $proto \
+		    from $addr/$mask to any $flags group $2 | \
+		    /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK
+		;;
+
+	ipfw)
+		# use $ipfw_offset+$port for rule number
+		rule=$(($ipfw_offset + $6))
+		tname="port$6"
+		/sbin/ipfw table $tname create type addr 2>/dev/null
+		/sbin/ipfw -q table $tname add "$addr/$mask"
+		# if rule number $rule does not already exist, create it
+		/sbin/ipfw show $rule >/dev/null 2>&1 || \
+			/sbin/ipfw add $rule drop $3 from \
+			table"("$tname")" to any dst-port $6 >/dev/null && \
+			echo OK
+		;;
+
+	iptables)
+		if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then
+			/sbin/iptables --new-chain "$2"
+		fi
+		/sbin/iptables --append INPUT --proto "$raw_proto" \
+		    --dport "$raw_port" --jump "$2"
+		/sbin/iptables --append "$2" --proto "$raw_proto" \
+		    --source "$addr/$mask" --dport "$raw_port" --jump DROP
+		echo OK
+		;;
+
+	npf)
+		/sbin/npfctl rule "$2" add block in final $proto from \
+		    "$addr/$mask" to any $port
+		;;
+
+	pf)
+		# if the filtering rule does not exist, create it
+		/sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
+		    grep -q "<port$6>" || \
+		    echo "block in quick $proto from <port$6> to any $port" | \
+		    /sbin/pfctl -a "$2/$6" -f -
+		# insert $ip/$mask into per-protocol/port anchored table
+		/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+		    /sbin/pfctl -qk "$addr" && echo OK
+		;;
+
+	esac
+	;;
+rem)
+	case "$pf" in
+	ipfilter)
+		# N.B.:  The rule generated here must exactly match the
+		# corresponding rule generated for the "add" command above!
+		#
+		echo block in log quick $proto \
+		    from $addr/$mask to any $flags group $2 | \
+		    /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK
+		;;
+
+	ipfw)
+		/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
+		    echo OK
+		;;
+
+	iptables)
+		if /sbin/iptables --list "$2" >/dev/null 2>&1; then
+			/sbin/iptables --delete "$2" --proto "$raw_proto" \
+			    --source "$addr/$mask" --dport "$raw_port" \
+			    --jump DROP
+		fi
+		echo OK
+		;;
+
+	npf)
+		/sbin/npfctl rule "$2" rem-id "$7"
+		;;
+
+	pf)
+		/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+		    echo OK
+		;;
+
+	esac
+	;;
+flush)
+	case "$pf" in
+	ipfilter)
+		#
+		# N.B. WARNING:  This is obviously not reentrant!
+		#
+		# First we flush all the rules from the inactive set, then we
+		# reload the ones that do not belong to the group "$2", and
+		# finally we swap the active and inactive rule sets.
+		#
+		/sbin/ipf -I -F a
+		#
+		# "ipf -I -F a" also flushes active accounting rules!
+		#
+		# Note that accounting rule groups are unique to accounting
+		# rules and have nothing to do with filter rules, though of
+		# course theoretically one could use the same group name for
+		# them too.
+		#
+		# In theory anyone using any such accounting rules should have a
+		# wrapper /etc/rc.conf.d/blocklistd script (and corresponding
+		# /etc/rc.conf.d/ipfilter script) that will record and
+		# consolidate the values accumulated by such accounting rules
+		# before they are flushed, since otherwise their counts will be
+		# lost forever.
+		#
+		/usr/sbin/ipfstat -io | fgrep -v "group $2" | \
+		    /sbin/ipf -I -f - >/dev/null 2>&1
+		#
+		# This MUST be done last and separately as "-s" is executed
+		# _while_ the command arguments are being processed!
+		#
+		/sbin/ipf -s && echo OK
+		;;
+
+	ipfw)
+		/sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
+		;;
+
+	iptables)
+		if /sbin/iptables --list "$2" >/dev/null 2>&1; then
+			/sbin/iptables --flush "$2"
+		fi
+		echo OK
+		;;
+
+	npf)
+		/sbin/npfctl rule "$2" flush
+		;;
+
+	pf)
+		# dynamically determine which anchors exist
+		for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do
+			/sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush
+			/sbin/pfctl -a "$anchor" -F rules
+		done
+		echo OK
+		;;
+	esac
+	;;
+*)
+	echo "$0: Unknown command '$1'" 1>&2
+	exit 1
+	;;
+esac