Bug #10879
closed
SSH lockout table - Bogons IPv6 table to large and blocks firewall re-loading (and upon reboot) locks up all LAN traffic to internet
0%
Description
The firewall rules do not load, due to some SSH 'lockout table complaining there are too many bogonsv6 from /etc/bogonsv6 to load into a list/array, leading to firewall not coming on line when FW started up, device non-functional as a result.
Error:
There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements. - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6"
#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6" (LINE 19)
table <negate_networks>
My /etc/bogonsv6 - it has 113k entires in it.
I had to cut the bogonsv6 file down to a small number of entries, e.g. as seen to bring the traffic management on-line.
- last updated 1598935801 (Tue Sep 1 04:50:01 2020 GMT)
100::/8
200::/7
400::/6
800::/5
1000::/4
2000::/16
4000::/2
8000::/1
Frankly, I don't want 133k IPv6 FW rules for ssh -- its not practical to manage security and network ingress that way, and well, I also notice the sshd is bound to ALL interface, which is a security problem to have it openly listen to the internet in this new release.
The proper way to design this: ** THE SSH should be able to be bound to ONLY the internal interfaces, like the DNS resolver !!!!!
Files
Updated by andreas vesalius about 4 years ago
Probably the same issue as https://redmine.pfsense.org/issues/10861
Updated by Jim Pingle about 4 years ago
- Category set to Rules / NAT
- Status changed from New to Duplicate
- Priority changed from Urgent to Normal
- Target version deleted (
2.5.0)
It is the same as the other issue. It has nothing to do with bogons or sshguard themselves, so suggestions about those are not relevant to the other issue.