Project

General

Profile

Actions

Bug #10879

closed

SSH lockout table - Bogons IPv6 table to large and blocks firewall re-loading (and upon reboot) locks up all LAN traffic to internet

Added by Eric Veum over 4 years ago. Updated over 4 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
09/08/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.x
Affected Architecture:

Description

The firewall rules do not load, due to some SSH 'lockout table complaining there are too many bogonsv6 from /etc/bogonsv6 to load into a list/array, leading to firewall not coming on line when FW started up, device non-functional as a result.

Error:
There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements. - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6"

#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6" (LINE 19)
table <negate_networks>

My /etc/bogonsv6 - it has 113k entires in it.

I had to cut the bogonsv6 file down to a small number of entries, e.g. as seen to bring the traffic management on-line.

  1. last updated 1598935801 (Tue Sep 1 04:50:01 2020 GMT)
    100::/8
    200::/7
    400::/6
    800::/5
    1000::/4
    2000::/16
    4000::/2
    8000::/1

Frankly, I don't want 133k IPv6 FW rules for ssh -- its not practical to manage security and network ingress that way, and well, I also notice the sshd is bound to ALL interface, which is a security problem to have it openly listen to the internet in this new release.

The proper way to design this: ** THE SSH should be able to be bound to ONLY the internal interfaces, like the DNS resolver !!!!!


Files

fw_problem_etc-bogonsv6 (1.76 MB) fw_problem_etc-bogonsv6 Eric Veum, 09/08/2020 10:05 AM
fw_problem-rules.debug (11.9 KB) fw_problem-rules.debug Eric Veum, 09/08/2020 10:05 AM
Actions #1

Updated by andreas vesalius over 4 years ago

Probably the same issue as https://redmine.pfsense.org/issues/10861

Actions #2

Updated by Jim Pingle over 4 years ago

  • Category set to Rules / NAT
  • Status changed from New to Duplicate
  • Priority changed from Urgent to Normal
  • Target version deleted (2.5.0)

It is the same as the other issue. It has nothing to do with bogons or sshguard themselves, so suggestions about those are not relevant to the other issue.

Actions

Also available in: Atom PDF