sshguard / sshguard / issues / #51 - ipfw backend should create table on startup for FreeBSD 11 — Bitbucket

Issue #51 resolved

Mohammad S. Babaei created an issue 2016-12-16

I noticed that my sshguard instance stopped working after updating to FreeBSD 11.0-RELEASE. It looks likes ipfw went through some breaking changes that affects sshguard:

$ service sshguard start
ipfw: failed to request table info: No such process
Could not initialize firewall

Someone already reported this on FreeBSD Bugzilla.

Comments (9)

Mohammad S. Babaei reporter
As suggested here, as a workaround I have to run this before starting sshguard service:
```
$ /sbin/ipfw -q table 22 create
```
- 2016-12-16T14:59:35+00:00
Kevin Zheng
- changed status to open
The documentation, which is inconsistent with SSHGuard's current behavior, says that SSHGuard creates the table for you. Currently, SSHGuard checks if the table already exists. I'm not quite sure what the desired behavior is, but either SSHGuard or the documentation needs to be fixed.
- 2016-12-16T18:43:33+00:00
Mohammad S. Babaei reporter
Thank you Kevin for your quick reply and sorry for my tardy response.

In my estimation, fixing SSHGuard would be the most convenient solution. I can open an issue on FreeBSD bug tracker and submit a patch to create/destroy the table on start/stop for the SSHGaurd rc service. But, I'm afraid FreeBSD 9.3, 10.1,10.2, 10.3 with the old ipfw firewall which are still supported, share the same ports tree with FreeBSD 11. I'm not sure if the patch get accepted or it may cause any trouble on older versions of ipfw since I'm not familiar with SSHGuard's internals.

Furthermore, fixing only the documentation will probably confuse new people to SSHGuard on FreeBSD; as ipfw's new behavior breaks a few how-to(s)/guides on SSHGaurd which was written for FreeBSD. These guides are the first thing to come up when you google for "FreeBSD SSHGuard" or "FreeBSD SSHGuard ipfw".
- 2016-12-20T19:18:05+00:00
Kevin Zheng
I agree fixing SSHGuard is the way to go. I'm not sure what the "fix" is: create the SSHGuard table and associated rules to block connections from the table? Or just create the table and make users edit the firewall rules themselves?

I'm leaning towards just creating and destroying the tables automatically (though I'd have to investigate if this causes issues with loading the firewall ruleset, before the table exists).
- 2016-12-21T02:54:53+00:00
Kevin Zheng
Poking FreeBSD package maintainer for security/sshguard-ipfw for opinions on what default behavior should be.
- 2016-12-23T05:00:28+00:00
Kevin Zheng
- marked as proposal
- marked as major
- changed title to ipfw backend should create table on startup
- assigned issue to
  
  Kevin Zheng
- 2016-12-28T18:44:47+00:00
Kevin Zheng
- changed title to ipfw backend should create table on startup for FreeBSD 11
This is related to changes to ipfw in FreeBSD 11.
- 2016-12-28T18:52:39+00:00
Kevin Zheng
- changed status to resolved
Thanks for the report. I initially misunderstood the report, but I read the FreeBSD Bugzilla and figured out what's going on. Should be fixed in e9ffd99, thanks!
- 2016-12-28T19:02:16+00:00
Mohammad S. Babaei reporter
My pleasure. And, thank you so much for the quick fix.

Keep up the good work.
- 2016-12-30T11:48:15+00:00
Log in to comment

Assignee: Kevin Zheng

Type: proposal

Priority: major

Status: resolved

Component: –

Votes: 0

Watchers: 1

Jira Software: the preferred issue tracker for Bitbucket. Join the team!