# IPFW + SSHGuard



## Sigfrido (Nov 7, 2011)

Hi!

I've got a problem with security/sshguard-ipfw.

Assumption: I'm running a GENERIC kernel on 8.2, (so I suppose that I don't have the option IPFIREWALL_FORWARD in) and I'm not interested to compile a custom kernel.

I'm using a custom ruleset in /etc/ipfw.rules:


```
#!/bin/sh

ipfw -q -f flush
cmd="ipfw -q add"
pif="em0"

$cmd xxxxx allow all from any to any via lo0
$cmd xxxxx deny all from any to 127.0.0.0/8
$cmd xxxxx deny all from 127.0.0.0/8 to any
$cmd xxxxx deny tcp from any to any frag

[I]cut[/I]
```

After the installation, I've decommented the line in /etc/syslog.conf:


```
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
```

but it seems that SSHGuard doesn't add any blocking rule from ID 55000 to 55050, as expected.

When I restart ipfw it says:


```
ipfw: getsockopt(IP_FW_ADD): Invalid argument
```

SSHGuard process seems up and running.

I think that sshguard tried to add its blocking rule without results: doese it require the kernel version of ipfw?

Suggestions are really appreciated.

Thanks in advance


----------



## SirDice (Nov 7, 2011)

I haven't used sshguard with IPFW yet but it works fine with PF.


----------



## Sigfrido (Nov 7, 2011)

follow-ups, if needed:

```
myserver# kldstat
Id Refs Address            Size     Name
 1   13 0xffffffff80100000 c9fe20   kernel
 2    1 0xffffffff80da0000 918      accf_data.ko
 3    1 0xffffffff80da1000 15e0     accf_http.ko
 4    1 0xffffffff80e22000 ca6e     ipfw.ko
 5    1 0xffffffff80e2f000 b1da     libalias.ko
 6    1 0xffffffff80e3b000 27f8     logo_saver.ko
```

process seems up&running:


```
sshguard[1468]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
```

It recognizes threats:


```
Nov  8 02:14:38 myserver sshguard[3127]: Blocking aaaa.ss.zzz.xxx:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
```

but effectively it doesn't block, I suppose beacause sshguard has not added any rule to IPFW due to the highlighted problem.


----------



## RusDyr (Mar 26, 2012)

+1, it also doesn't work at my servers with 8.2 and 9.0 releases. Didn't see code yet.


----------



## manilaboy1vic (Jul 16, 2013)

Has this been resolved? I have sshguard working with ipfw. I do use a custom kernel though:


```
options    IPFIREWALL
options    IPFIREWALL_VERBOSE
options    IPFIREWALL_VERBOSE_LIMIT=5
options    IPFIREWALL_DEFAULT_TO_ACCEPT
options    IPDIVERT
```

I attempt to ssh and leave an empty password and a rule shows up in ipfw.

Just an FYI guys.


----------

