Fix `pfctl` command syntax with OpenBSD 5.8
sshguard is not adding hosts to the pf table because the -T and -t command options are in incorrect order.
sshguard / src / fwalls / command_pf.h
See lines 40, 48, and 51.
Per the pfctl man page, the commands should be:
[-t table -T command [address ...]]
To replicate, try adding an ip address to the table the wrong way
pfctl -Tadd 1.1.1.1 -tsshguard
usage: pfctl [-deghnPqrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file] [-i interface] [-K host | network] [-k host | network | label | id] [-L statefile] [-o level] [-p device] [-S statefile] [-s modifier [-R id]] [-t table -T command [address ...]] [-x level]
Then try the right way
pfctl -tsshguard -Tadd 1.1.1.1
1/1 addresses added.
Comments (8)
-
-
reporter Ok. Either way, adding or deleting before specifying the table doesn't work. The table must be specified before adding or deleting, etc. I'm testing on OpenBSD 5.8 stable.
I tried to modify the command in the latest source, but there is no configure file.
-
Okay, perhaps OpenBSD 5.8 changed something that broke this command. In any case, your solution is more correct. Could you verify that this command works?
pfctl -k $1 -t sshguard -T add $1
, where$1
is the address you want to block. -
reporter Yes, the above command works as expected.
killed 0 states from 1 sources and 0 destinations 1/1 addresses added.
-
Thanks! I'm guessing the release and flush commands have to change, too?
pfctl -t sshguard -T del $1
pfctl -t sshguard -T flush
-
reporter Correct.
pfctl -t sshguard -T del $1
1/1 addresses deleted.
pfctl -t sshguard -T flush
3 addresses deleted.
-
- changed status to resolved
Fixed in 688dfb8, thanks!
-
- changed title to Fix `pfctl` command syntax with OpenBSD 5.8
-
assigned issue to
- Log in to comment
I don't think that's your issue. The current command is
pfctl -k $1 -Tadd -t sshguard $1
, notpfctl -Tadd $1 -tsshguard
as you suggested. You are right that the latter is incorrect, but that's not the command being run by SSHGuard.