Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to use pf.sh as active response instead firewall-drop.sh script only for FreeBSD hosts ??
On Mon, Apr 8, 2013 at 2:25 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez <carlopm...@gmail.com> > wrote: > > AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf > ... > > > > It looks like FreeBSD with pf enabled should be using pf.sh. Try > running the same command you did previously, but with pf.sh instead. > If that works, copying it over firewall-drop.sh should be the way to > go. > > I'll have a look at the installer logic to see if I can figure out > where this went wrong, so please report success failure of the above. > > > > > On Mon, Apr 8, 2013 at 2:16 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez <carlopm...@gmail.com> > >> wrote: > >> > Correct, but for this reason, I ask the question ... > >> > > >> > >> Does freebsd use ipf anymore? Is it still a knob? > >> > >> > > >> > On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> >> > >> >> On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez < > carlopm...@gmail.com> > >> >> wrote: > >> >> > Yep, it is searching ipf ... > >> >> > > >> >> > root@itafbsd01:/data/logs/plain# /bin/sh -x > >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - > >> >> > 10.196.0.15 > >> >> > + uname > >> >> > + UNAME=FreeBSD > >> >> > + ECHO=/bin/echo > >> >> > + GREP=/bin/grep > >> >> > + IPTABLES='' > >> >> > + IP4TABLES=/sbin/iptables > >> >> > + IP6TABLES=/sbin/ip6tables > >> >> > + IPFILTER=/sbin/ipf > >> >> > + [ XFreeBSD = XSunOS ] > >> >> > + GENFILT=/usr/sbin/genfilt > >> >> > + LSFILT=/usr/sbin/lsfilt > >> >> > + MKFILT=/usr/sbin/mkfilt > >> >> > + RMFILT=/usr/sbin/rmfilt > >> >> > + ARG1='' > >> >> > + ARG2='' > >> >> > + RULEID='' > >> >> > + ACTION=add > >> >> > + USER=- > >> >> > + IP=10.196.0.15 > >> >> > + dirname > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > >> >> > + LOCAL=/usr/local/ossec-hids/active-response/bin > >> >> > + cd /usr/local/ossec-hids/active-response/bin > >> >> > + cd ../ > >> >> > + pwd > >> >> > + PWD=/usr/local/ossec-hids/active-response > >> >> > + basename > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > >> >> > + filename=firewall-drop.sh > >> >> > + LOCK=/usr/local/ossec-hids/active-response/fw-drop > >> >> > + LOCK_PID=/usr/local/ossec-hids/active-response/fw-drop/pid > >> >> > + > >> >> > > >> >> > > >> >> > > LOG_FILE=/usr/local/ossec-hids/active-response/../logs/active-responses.log > >> >> > + date > >> >> > + echo 'Mon Apr 8 14:02:35 UTC 2013 > >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - > >> >> > 10.196.0.15 > >> >> > ' > >> >> > + [ x10.196.0.15 = x ] > >> >> > + IPTABLES=/sbin/iptables > >> >> > + MAX_ITERATION=50 > >> >> > + [ xadd != xadd -a xadd != xdelete ] > >> >> > + [ XFreeBSD = XLinux ] > >> >> > + [ XFreeBSD = XFreeBSD -o XFreeBSD = XSunOS -o XFreeBSD = XNetBSD > ] > >> >> > + ls /sbin/ipf > >> >> > + [ 0 != 0 ] > >> >> > + ls /bin/echo > >> >> > + [ 0 != 0 ] > >> >> > + [ xadd = xadd ] > >> >> > + ARG1='"@1 block out quick from any to 10.196.0.15"' > >> >> > + ARG2='"@1 block in quick from 10.196.0.15 to any"' > >> >> > + IPFARG='/sbin/ipf -f -' > >> >> > >> >> It's trying to use ipf, not pf. > >> >> > >> >> > + eval /bin/echo '"@1' block out quick from any to '10.196.0.15"' > >> >> > + /sbin/ipf -f - > >> >> > + /bin/echo '@1 block out quick from any to 10.196.0.15' > >> >> > open device: No such file or directory > >> >> > User/kernel version check failed > >> >> > 1:ioctl(add/insert rule): Bad file descriptor > >> >> > + eval /bin/echo '"@1' block in quick from 10.196.0.15 to 'any"' > >> >> > + /sbin/ipf -f - > >> >> > + /bin/echo '@1 block in quick from 10.196.0.15 to any' > >> >> > open device: No such file or directory > >> >> > User/kernel version check failed > >> >> > 1:ioctl(add/insert rule): Bad file descriptor > >> >> > + exit 0 > >> >> > root@itafbsd01:/data/logs/plain > >> >> > > >> >> > > >> >> > On Mon, Apr 8, 2013 at 1:53 PM, dan (ddp) <ddp...@gmail.com> > wrote: > >> >> >> > >> >> >> On Mon, Apr 8, 2013 at 9:50 AM, C. L. Martinez > >> >> >> <carlopm...@gmail.com> > >> >> >> wrote: > >> >> >> > works: > >> >> >> > > >> >> >> > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T add > >> >> >> > 10.196.0.15 > >> >> >> > No ALTQ support in kernel > >> >> >> > ALTQ related functions disabled > >> >> >> > 1/1 addresses added. > >> >> >> > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T show > >> >> >> > No ALTQ support in kernel > >> >> >> > ALTQ related functions disabled > >> >> >> > 10.196.0.15 > >> >> >> > root@plzfsiem02:/data/logs/plain > >> >> >> > > >> >> >> > >> >> >> Ok, now try to find out what pfctl command firewall-drop.sh is > >> >> >> using. > >> >> >> > >> >> >> /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh > >> >> >> blahblahblah > >> >> >> > >> >> >> > > >> >> >> > On Mon, Apr 8, 2013 at 1:48 PM, dan (ddp) <ddp...@gmail.com> > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Mon, Apr 8, 2013 at 9:45 AM, C. L. Martinez > >> >> >> >> <carlopm...@gmail.com> > >> >> >> >> wrote: > >> >> >> >> > Executing active response manually: > >> >> >> >> > > >> >> >> >> > root@itafbsd01:/usr/local/ossec-hids/bin# > >> >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> > - > >> >> >> >> > 10.196.0.15 > >> >> >> >> > open device: No such file or directory > >> >> >> >> > User/kernel version check failed > >> >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor > >> >> >> >> > open device: No such file or directory > >> >> >> >> > User/kernel version check failed > >> >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor > >> >> >> >> > > >> >> >> >> > >> >> >> >> pfctl -t ossec_fwtable -T add IP_ADDRESS > >> >> >> >> > >> >> >> >> > > >> >> >> >> > On Mon, Apr 8, 2013 at 1:42 PM, C. L. Martinez > >> >> >> >> > <carlopm...@gmail.com> > >> >> >> >> > wrote: > >> >> >> >> >> > >> >> >> >> >> Hi all, > >> >> >> >> >> > >> >> >> >> >> Could active response not work for servers based on FreeBSD > >> >> >> >> >> using > >> >> >> >> >> pf > >> >> >> >> >> as a > >> >> >> >> >> firewall? I have three FreeBSD hosts and it doesn't seems it > >> >> >> >> >> is > >> >> >> >> >> working: > >> >> >> >> >> > >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# pfctl -sr > >> >> >> >> >> No ALTQ support in kernel > >> >> >> >> >> ALTQ related functions disabled > >> >> >> >> >> block drop in log quick on ! lo0 inet from 127.0.0.0/8 to > any > >> >> >> >> >> block drop in log quick on ! em0 inet from 10.196.0.0/24 to > >> >> >> >> >> any > >> >> >> >> >> block drop in log quick inet from 10.196.0.104 to any > >> >> >> >> >> block drop in log quick inet from 10.196.0.93 to any > >> >> >> >> >> block drop in log quick on ! em1 inet from 172.17.22.0/29to > >> >> >> >> >> any > >> >> >> >> >> block drop in log quick inet from 172.17.22.2 to any > >> >> >> >> >> block drop in log quick on ! em2 inet from 172.17.23.0/29to > >> >> >> >> >> any > >> >> >> >> >> block drop in log quick inet from 172.17.23.2 to any > >> >> >> >> >> block drop in log quick on ! lo0 inet6 from ::1 to any > >> >> >> >> >> block drop in log quick on em0 inet6 from > >> >> >> >> >> fe80::250:56ff:fe38:c2bf > >> >> >> >> >> to > >> >> >> >> >> any > >> >> >> >> >> block drop in log quick on em1 inet6 from > >> >> >> >> >> fe80::250:56ff:fe22:be36 > >> >> >> >> >> to > >> >> >> >> >> any > >> >> >> >> >> block drop in log quick on em2 inet6 from > >> >> >> >> >> fe80::250:56ff:fe03:5d90 > >> >> >> >> >> to > >> >> >> >> >> any > >> >> >> >> >> block drop in log all > >> >> >> >> >> block drop in log quick from <ossec_fwtable> to any > >> >> >> >> >> block drop out log quick from any to <ossec_fwtable> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# cat > >> >> >> >> >> /usr/local/ossec-hids/logs/active-responses.log > >> >> >> >> >> Mon Apr 8 12:16:28 UTC 2013 > >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> >> - > >> >> >> >> >> 10.196.0.15 > >> >> >> >> >> 1365423388.106418930 100307 > >> >> >> >> >> Mon Apr 8 12:33:22 UTC 2013 > >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> >> - > >> >> >> >> >> 192.168.65.16 1365424402.107310243 100310 > >> >> >> >> >> Mon Apr 8 12:56:32 UTC 2013 > >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> >> - > >> >> >> >> >> 81.84.99.182 1365425792.109009489 100306 > >> >> >> >> >> Mon Apr 8 12:59:06 UTC 2013 > >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> >> - > >> >> >> >> >> 84.253.190.122 1365425946.109167068 100306 > >> >> >> >> >> Mon Apr 8 13:11:25 UTC 2013 > >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh > add > >> >> >> >> >> - > >> >> >> >> >> 212.163.33.165 1365426685.109822795 100306 > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> ... but: > >> >> >> >> >> > >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# pfctl -t > >> >> >> >> >> ossec_fwtable > >> >> >> >> >> -T > >> >> >> >> >> show > >> >> >> >> >> No ALTQ support in kernel > >> >> >> >> >> ALTQ related functions disabled > >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin > >> >> >> >> >> > >> >> >> >> >> Ossec server and these FreeBSD agents use 2.7 release ... > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. > >> >> >> >> > For more options, visit > >> >> >> >> > https://groups.google.com/groups/opt_out. > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > >> >> >> >> -- > >> >> >> >> > >> >> >> >> --- > >> >> >> >> You received this message because you are subscribed to the > >> >> >> >> Google > >> >> >> >> Groups > >> >> >> >> "ossec-list" group. > >> >> >> >> To unsubscribe from this group and stop receiving emails from > it, > >> >> >> >> send > >> >> >> >> an > >> >> >> >> email to ossec-list+unsubscr...@googlegroups.com. > >> >> >> >> For more options, visit > https://groups.google.com/groups/opt_out. > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. > >> >> >> > For more options, visit > https://groups.google.com/groups/opt_out. > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> -- > >> >> >> > >> >> >> --- > >> >> >> You received this message because you are subscribed to the Google > >> >> >> Groups > >> >> >> "ossec-list" group. > >> >> >> To unsubscribe from this group and stop receiving emails from it, > >> >> >> send > >> >> >> an > >> >> >> email to ossec-list+unsubscr...@googlegroups.com. > >> >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> >> > >> >> >> > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+unsubscr...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to ossec-list+unsubscr...@googlegroups.com. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+unsubscr...@googlegroups.com. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.