ipfw backend should create table on startup for FreeBSD 11

Create issue
Issue #51 resolved
Mohammad S. Babaei created an issue

I noticed that my sshguard instance stopped working after updating to FreeBSD 11.0-RELEASE. It looks likes ipfw went through some breaking changes that affects sshguard:

$ service sshguard start
ipfw: failed to request table info: No such process
Could not initialize firewall

Someone already reported this on FreeBSD Bugzilla.

Comments (9)

  1. Mohammad S. Babaei reporter

    As suggested here, as a workaround I have to run this before starting sshguard service:

    $ /sbin/ipfw -q table 22 create
    
  2. Kevin Zheng
    • changed status to open

    The documentation, which is inconsistent with SSHGuard's current behavior, says that SSHGuard creates the table for you. Currently, SSHGuard checks if the table already exists. I'm not quite sure what the desired behavior is, but either SSHGuard or the documentation needs to be fixed.

  3. Mohammad S. Babaei reporter

    Thank you Kevin for your quick reply and sorry for my tardy response.

    In my estimation, fixing SSHGuard would be the most convenient solution. I can open an issue on FreeBSD bug tracker and submit a patch to create/destroy the table on start/stop for the SSHGaurd rc service. But, I'm afraid FreeBSD 9.3, 10.1,10.2, 10.3 with the old ipfw firewall which are still supported, share the same ports tree with FreeBSD 11. I'm not sure if the patch get accepted or it may cause any trouble on older versions of ipfw since I'm not familiar with SSHGuard's internals.

    Furthermore, fixing only the documentation will probably confuse new people to SSHGuard on FreeBSD; as ipfw's new behavior breaks a few how-to(s)/guides on SSHGaurd which was written for FreeBSD. These guides are the first thing to come up when you google for "FreeBSD SSHGuard" or "FreeBSD SSHGuard ipfw".

  4. Kevin Zheng

    I agree fixing SSHGuard is the way to go. I'm not sure what the "fix" is: create the SSHGuard table and associated rules to block connections from the table? Or just create the table and make users edit the firewall rules themselves?

    I'm leaning towards just creating and destroying the tables automatically (though I'd have to investigate if this causes issues with loading the firewall ruleset, before the table exists).

  5. Kevin Zheng

    Poking FreeBSD package maintainer for security/sshguard-ipfw for opinions on what default behavior should be.

  6. Kevin Zheng

    Thanks for the report. I initially misunderstood the report, but I read the FreeBSD Bugzilla and figured out what's going on. Should be fixed in e9ffd99, thanks!

  7. Log in to comment