There's a black list, but is there a white list...?

Murus
Post Reply
NEO1
Posts: 16
Joined: Mon Jun 01, 2015 7:21 am

There's a black list, but is there a white list...?

Post by NEO1 » Sun Oct 04, 2015 8:13 pm

With the "blocked_ip's" I guess we have a black-list, but is there a whitelist where we can add our own known IP's so that we don't risk blocking ourselves when hammering ssh/vnc or whatever?

Cheers

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: There's a black list, but is there a white list...?

Post by hany » Mon Oct 05, 2015 1:58 pm

There is no currently no option for a white list, but you can use a custom rule.
For example if you want to grant SSH and VNC access to a specific IP address you can issue a custom rule like this:

Code: Select all

pass in quick inet proto {tcp, udp} from {remoteIPaddress} to {any} port {22 5900 88} 

NEO1
Posts: 16
Joined: Mon Jun 01, 2015 7:21 am

Re: There's a black list, but is there a white list...?

Post by NEO1 » Thu Oct 08, 2015 2:24 pm

Hi

can {remoteIPaddress} be a group in in some way? So I create a new group with the IP's I want whitelisted...?

Also, then brute force protection is on IP's are blocked, but how? They're only blocked in memory or for a certain time? Not added to the group blocked clients and after a few restarts of Murus it seems like that ban is lifted?

Cheers
hany wrote:There is no currently no option for a white list, but you can use a custom rule.
For example if you want to grant SSH and VNC access to a specific IP address you can issue a custom rule like this:

Code: Select all

pass in quick inet proto {tcp, udp} from {remoteIPaddress} to {any} port {22 5900 88} 

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: There's a black list, but is there a white list...?

Post by hany » Thu Oct 08, 2015 3:43 pm

can {remoteIPaddress} be a group in in some way? So I create a new group with the IP's I want whitelisted...?
Yes. For every group you create in Murus, a new dedicated PF table is created. You can use this PF table as source/destination of your custom rules.
For example:
- create Murus group named "whitelist"
- create a custom rule like this:

Code: Select all

pass in quick inet proto {tcp, udp} from {<whitelist>} to {any} port {22 5900 88}
To modify your white list just add/remove addresses to the "whitelist" Murus group and then click PLAY.
You can check the runtime content of your PF table using Murus Browser. You'll find it in the root of PF configuration.
This is not a trick. Creating Murus group and using the corresponding PF tables in custom rules is really the best approach. :)

Also, then brute force protection is on IP's are blocked, but how? They're only blocked in memory or for a certain time? Not added to the group blocked clients and after a few restarts of Murus it seems like that ban is lifted?
Bruteforce protection in Murus uses a dedicated PF table in /murus.inbound anchor named <bruteforce>. All inbound traffic from <bruteforce> PF table is blocked by a Murus hardcoded rule (the first rule in that anchor).
The table is persistent, and it should be active until system restart. However there is an option in Murus Preferences to automatically remove brute force bans after a fixed period of time (this means that the table is flushed every now and then, and all addresses are unblocked simultaneously). If this option is disabled and the Mac is not restarted then bruteforcing IP addresses should stay on that PF table.
You can check the runtime content <bruteforce> PF table using Murus Browser. You'll find it in the /murus.inbound anchor, not in the PF root.

davecotter
Posts: 5
Joined: Wed Feb 01, 2017 9:18 pm

Re: There's a black list, but is there a white list...?

Post by davecotter » Wed Feb 01, 2017 9:20 pm

Will a whitelist created in such a way work with the "Adaptive Firewall" ? ie: if i try to log in from an address within the LAN (which is whitelisted), and it fails too many times, will i still be locked out if i have the Adaptive Firewall turned on? or will this whitelist address group allow me to keep trying?

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: There's a black list, but is there a white list...?

Post by hany » Fri Feb 10, 2017 6:03 pm

A custom rule is put at the end of Murus ruleset, thus it overrides all previous rules.
A connection from a whitelisted IP will match BOTH the "adaptive" pass rule, and the "custom" pass rule. However the custom rule is at the end, so it will be the final matching one. Whitelisted connections will not trigger any adaptive count, so you will never be locked out.

Post Reply