NPF ruleset not blocking IPs

To: netbsd-users%NetBSD.org@localhost
Subject: NPF ruleset not blocking IPs
From: Emile `iMil' Heitor <imil%home.imil.net@localhost>
Date: Fri, 3 Jun 2022 10:43:06 +0200 (CEST)


I am trying to use npf along with blacklistd as an anti-bruteforce system.
Configuration-wide, everything seems to work together, yet blacklisted IPs,
while present in the "blacklistd" ruleset, don't seem to be blocked.

Here's my npf.conf file:

# npf.conf

$ext = vioif0
$ip4 = inet4(vioif0)
$ip6 = inet6(vioif0)

set bpf.jit on;
alg "icmp"

$tcp_allowed = {25, 53, 465, 587, 995, ssh, http, https}
$udp_allowed = {53}

table <blacklist> type ipset file "/etc/npf_blacklist"

procedure "log" {
        log: npflog0
}

group "external" on $ext {
        ruleset "blacklistd"

        block in final from <blacklist>
}

group default {
        pass final on lo0 all
        pass stateful out final all
        pass all

        block in family inet6 all
        pass proto ipv6-icmp all
        pass stateful in family inet6 proto tcp to any port $tcp_allowed
        pass stateful in family inet6 proto udp to any port $udp_allowed
}
# end of npf.conf

This virtual machine acts like an IPv6 router, hence the default rules.
Here's an extract of rules inserted by blacklistd:

$ sudo npfctl rule blacklistd list

ruleset block in final family inet4 proto udp from 64.231.104.8/32 to any port 53 # id="1"ruleset block in final family inet4 proto udp from 94.181.160.42/32 to any port 53 # id="2"ruleset block in final family inet4 proto udp from 209.126.8.168/32 to any port 53 # id="3"ruleset block in final family inet4 proto udp from 85.28.98.113/32 to any port 53 # id="4"ruleset block in final family inet4 proto udp from 44.200.125.213/32 to any port 53 # id="5"ruleset block in final family inet4 proto udp from 120.71.145.56/32 to any port 53 # id="6"ruleset block in final family inet4 proto udp from 90.90.90.90/32 to any port 53 # id="7"ruleset block in final family inet4 proto udp from 107.119.41.101/32 to any port 53 # id="8"ruleset block in final family inet4 proto udp from 78.116.212.157/32 to any port 53 # id="9"ruleset block in final family inet4 proto udp from 189.203.104.245/32 to any port 53 # id="a"ruleset block in final family inet4 proto udp from 193.124.7.9/32 to any port 53 # id="b"ruleset block in final family inet4 proto udp from 173.179.63.249/32 to any port 53 # id="c"ruleset block in final family inet4 proto udp from 174.244.240.203/32 to any port 53 # id="d"ruleset block in final family inet4 proto udp from 72.9.7.72/32 to any port 53 # id="e"ruleset block in final family inet4 proto udp from 95.105.64.219/32 to any port 53 # id="f"ruleset block in final family inet4 proto udp from 185.156.46.34/32 to any port 53 # id="10"ruleset block in final family inet4 proto tcp from 183.134.6.42/32 to any port 22 # id="7276"ruleset block in final family inet4 proto tcp from 185.220.100.253/32 to any port 22 # id="729a"ruleset block in final family inet4 proto udp from 35.174.16.235/32 to any port 53 # id="72b6"


Yet none of those IPs are blocked, I tried with a server of mine, it gets added to the list but is not blocked.

As the rules in the ruleset are declared as "final", I presume the default
`pass all` is not reached, am I right?
I am probably missing something obvious but can't figure out what.

Any ideas?

Thanks

------------------------------------------------------------------------
Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net

Follow-Ups:
- Re: NPF ruleset not blocking IPs
  - From: Emile `iMil' Heitor

Prev by Date: Re: I can't add accent marks on letters ,only on Qt Applications ! i'm using english and greek keyboards layouts
Next by Date: Re: I can't add accent marks on letters ,only on Qt Applications ! i'm using english and greek keyboards layouts
Previous by Thread: I can't add accent marks on letters ,only on Qt Applications ! i'm using english and greek keyboards layouts
Next by Thread: Re: NPF ruleset not blocking IPs
Indexes:

Home | Main Index | Thread Index | Old Index