Logo-amall

Archlinux unable to start bouncer (aur/cs-firewall-bouncer 0.0.25-1)

Last active 15 days ago

6 replies

4 views

  • KA

    I am having issues with my server, i'll tackle in a different post for now am having this issue..

    crowdsec-firewall-bouncer -v -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
    INFO[0000] crowdsec-firewall-bouncer 0.0.25-e83a672a05a879051ab09b47bf360db96ce1bbb0
    time="13-01-2023 15:56:35" level=fatal msg="conn.Receive: netlink receive: numerical result out of range"

    my previous package & installation was working perfectly .. i know i should ask maintainer of package in aur, it seems like there was no sig. changes in package it self

    Thank you

  • II

    Could you share some info about the config? quick google seems it could be an issue with nftables? but that just a google

  • KA

    Sure .. its non-docker based install on host … & you're right about google leading towards nftables, but i can't find any relevant info
    Its was working flawlessly for more than 3 months.. what lead to this is i restarted my host & all of sudden !! crowdsec stopped working & gave me an error about sqlite3 db being "locked" .. i managed to move it to "mariadb/mysql" & was able to run crowdsec again .. which i wanted to share/shed some light on that as i said earlier.

    Here are configs

    /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

    mode: nftables
    piddir: /var/run/ updatefrequency: 10s
    daemonize: true
    logmode: file logdir: /var/log/
    loglevel: info logcompression: true
    logmaxsize: 100
    logmaxbackups: 3
    logmaxage: 30
    apiurl: http://127.0.0.1:8080/ apikey: REDACTED
    insecureskipverify: false
    disableipv6: false denyaction: DROP
    denylog: false supporteddecisions_types:

    • ban

    to change log prefix

    denylogprefix: "crowdsec: "

    to change the blacklists name

    blacklistsipv4: crowdsec-blacklists blacklistsipv6: crowdsec6-blacklists

    type of ipset to use

    ipset_type: nethash

    if present, insert rule in those chains

    iptables_chains:

    • INPUT

    - FORWARD

    - DOCKER-USER

    nftables

    nftables:
    ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
    ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain

    packet filter

    pf:
    # an empty string disables the anchor
    anchor_name: ""

    prometheus:
    enabled: true
    listenaddr: 127.0.0.1 listenport: 60601

  • KA

    /etc/nftables.conf

    !/usr/bin/nft -f

    vim:set ts=2 sw=2 et:

    IPv4/IPv6 Simple & Safe firewall ruleset.

    More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

    table inet filter
    delete table inet filter
    table inet filter {
    chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
    

    }
    chain forward {
    type filter hook forward priority filter
    policy drop
    }
    }

  • II

    I know that nft has trouble handling if IP exists within a banned range. Is your crowdsec install detecting bad ranges and inserting those? or is it just standards ips?

  • KA

    Excuse my late answer, i was off-grid
    Those are standard IPs .. the funny thing it was working perfectly & i had banned IP's from LAPI
    It all started one evening when i had a system reboot as i said & crowdsec was complaining about "DB Lock"
    I had to work & troubleshoot what was the issue as its not a docker-based install & information is scarce within this realm so to speak

Last active 15 days ago

6 replies

4 views