Murus seems ***not*** to ban proactivity IP blocks!

Murus
redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Tue Apr 05, 2016 8:20 pm

Hello

I purchased a license of murus firewall and configured it (intermediate) to supply a web service (80,443). Together with that I entered via url coming from my localhost the address http://127.0.0.1/get_general_ip_blocks.php which delivers an ip (range) list. Pressing the button "Save Proactivity Settings" Murus says "Configuration saved" - hence without errors nor warnings. If I go to /etc/murus/ and I grep for one of these IP's I cannot see none of these IP's anywhere - I suppose Murus is doing nothing with those IP's ?

Optimistically assuming Murus has (***somehow***) that ip ban list, I then start Charles Web Proxy to monitor in/outcoming connections to/from my web server and I start two terminals with each "tcpdump port 443" and "tcpdump port 80" to see what happens.

Unfortunately Murus seems not to ban any of these IP's , malicious ip's appear nevertheless and they process with my web service. I would assume that once the ban IP list is set inside Murus (and saved), the IP are banned ... but they are not! Why? Of course I started Murus ;))

Please take into account that I am using Murus because I am a novice in this field, and I use Murus as a (great) help setting up my future NAT firewall.
I do need to process large lists of ban IP's ! Before I switch to native fwctl ...

Thank you in advance

Regards

hany
Posts: 479
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by hany » Tue Apr 05, 2016 10:03 pm

Hello,

to verify if Murus has loaded the IP list please open the Murus PF rules browser and check the content of PF table "_threats" in PF root.
If the table is empty then it means Murus was not able to parse the list. Ideally you should make a list of IP addresses and/or CIDRs separated by new line (\n).

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Tue Apr 05, 2016 10:20 pm

Hello

so you mean the software when it parses the ip blocks silently says nothing also in the case an error occurred? (very helpful indeed)

I opened the pf rule browser but I found no file _threat .... and on the file system I found nothing ... with that name. Where is the PF root please?

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Tue Apr 05, 2016 10:23 pm

Just another hint:

I repeated that same action using the provided address http://rules.emergingthreats.net/fwrule ... ck-IPs.txt

Same outcome: No threat tables visible...

hany
Posts: 479
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by hany » Wed Apr 06, 2016 11:52 am

so you mean the software when it parses the ip blocks silently says nothing also in the case an error occurred?
Murus does not parse anything, everything is done by an independent launchd item and a bash script. If the scripts does not find any IP in list (or finds an unreadable list) it simply returns a empty list.
(very helpful indeed)
The Murus runtime PF rules browser is there for a reason. You have to check runtime rules in order to verify your PF rules, tables, settings, specially if you expect your firewall to be configured using remote resources obtained from an unknown php page.
I opened the pf rule browser but I found no file _threat
"_threats" is not a file, is a PF table. There is no corresponding file on your filesystem for that table. It is a list of addresses loaded in runtime. You should see it on the right column of the Murus PF rules browser. Select it and click the magnifier to display its contents. You can find many more info about PF tables (and how Murus uses them) on both Murus online manual and OSX PF manual.
I repeated that same action using the provided address http://rules.emergingthreats.net/fwrule ... ck-IPs.txt

Same outcome: No threat tables visible...
If the PF table is not there, then you just have to correctly "update" your Murus settings, recreating the plist file and the bash script file I mentioned before.
That's really easy to do: just deselect the ban list option in Preferences -> Proactivity, click "Save proactivity settings". Then re-check the option and re-click "Save proactivity Settings". Click PLAY in Murus toolbar, now you should see your "_threats" PF table.

If know bash then you can manually modify the script in /etc/murus.updatethreats.sh to suite your needs, just be sure to never click again "Save proactivity settings" or your manually edited script will be overridden.

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Wed Apr 06, 2016 12:08 pm

Thank you hany,

meanwhile I studied the first part of the pf manual and now I can figure out what to do. I am under pressure but this should be.
I could manage to see the blocking rule activated and the ip loaded into that _threats table directly from pfctl.

So, the problem is on my side - I have to ensure the correct syntax of the IP/Ranges before loading.

(this thread can be closed)

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Wed Apr 06, 2016 2:07 pm

Hi hany

I must ask you quickly another question:

I am doing all the word of cleaning of the addresses which (you say) are not read by the proactivity window.

Murus is just a GUI, a frontend. But this does not help me much if at least I do not see what commands to pfctl Murus produces when I change things in Murus. Maybe this is possible (I know it is possible), I mean visibible in some log ? Otherwise Murus is hiding ... ?

My concrete problem again with the proactivity panel: I give there a URL of a php script which generate an IP list (since I need to debug the process of renewing blocking ips). In the list there is just one IP - therefore SIMPLE, not a block. Then I press save. Murus says "config ok" - then I try to see with pfctl the content of _threats - and I see the old content .... so in some way I omit some steps? I expect to see a new list of threats IP each time I enter there a new URL (2 Minutes reload time for debug purposes).

When is Murus loading these ip blocks into the table _threats ??? Why does Murus not update _threats? I even restarted Murus PF....

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Wed Apr 06, 2016 2:33 pm

... and what I really do not understand is why

when I give to the proactivity panel a url to a content which is exactly same as under rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt the ip blocks are set

while when I reduce in the same file the number of ip blocs to ... say 10 ... the 10 are not inserted!

Of course I kill the table before I control

... very un-intuitive behaviour ...

I would be glad if you could help me in short time, since I am a little under pressure, thank you

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by redskate » Wed Apr 06, 2016 3:12 pm

Hi Hany

at this point it seems to me that the work of murus is a little bit hidden, so I have the impression I have to realise this my mechanism of updating threats tables by myself.

Of course I would like to preserve Murus...

How can I use this mechanisms (adding/updateing a table for own threats) while preserving the nice functionalities of Murus?

I have seen that Murus once started deletes all firewall rules .... in order to put the own ones...

hany
Posts: 479
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus seems ***not*** to ban proactivity IP blocks!

Post by hany » Wed Apr 06, 2016 8:09 pm

Murus needs you some time to get used to its functions. I suggest you to have a look at documentation, video tutorials and presets.
How can I use this mechanisms (adding/updateing a table for own threats) while preserving the nice functionalities of Murus?
The mechanism is completely independent from Murus. You can leave the option unchecked in Murus, and manage the list manually.
You can use whatever system you want to load/update/parse the IP list. The only important thing is that you must add those IP addresses to a runtime PF table. This PF table must be named "_threats" and must be placed in PF root (main anchor), the same place where Murus puts it if you enable the option.
Murus automatically blocks all traffic from/to IP addresses contained in this anchor.
You can use /etc/murus.updatethreats.sh as an example for your own script.
There are other ways to manage IP lists in Murus, for example managing groups and black list. Please see documentation for more info.

Post Reply