[bguillory]

l008com, thanks for the insight into what was happening. I initially found this problem because afctl was removing my production firewall rules. I got entries in my /var/log/system.log like this:
Nov 18 01:33:13 mac com.apple.afctl[32862]: ip6fw: rule 12554: setsockopt(IPV6_FW_DEL): Invalid argument

Here is the script that I came up with to work around the problem:

[code]
#!/bin/sh

# Brad Guillory 18 November 2009
# Initial Version, detects current afctl rule number and resets afctl black
# list if a threshold is breached.

#By default on Mac OS X Server 10.5 emond(8) is configured to detect repeated
#auth failures (likely a brute force attack). When it detects an attack
#emond calls afctl to temporarily blacklist (and hopefully block) that IP
#
#This works great unless emond detects enough attacks that afctl is always
#blocking at least one IP. Because afctl in turn uses ipfw rules to block
#the blacklisted IPs afctl needs to use firewall rule numbers to do accounting
#with ipfw. Internally ipfw rules are applied in order; afctl rules start out
#at a relatively low number (by default 1700) and “regular” rules start at
#12300. If afctl’s rule number grow so they collide with the “regular” rules
#afctl blacklist addresses are no longer blocked and (perhaps worse) when
#afctl goes to remove its rules it may inadvertently remove a “regular” rule
#causing a denial of service.
#There is lots of room for rules between 1700 and 12300 but afctl rule numbers
#increment by 5 and each blacklist address consumes multiple consecutive rules
#
#To address this problem I have written this script to detect when the afctl
#current rule number has grown too large. When it has it clears the afctl
#blacklist and reset afctl. (Thank you to [l008com] he posted the method
#here: https://www.afp548.com/forum/viewtopic.php?showtopic=21220)
#

#set -x

AFCTL_SET=17
THRESHOLD=10000
#NOTE: A THRESHOLD of 10000 allows for 460 additional rules before we get
#into trouble. Because afctl is making multiple rules for each IP address
#this gets cut down to less than 50 detected incidences.
#So we should probably run AT LEAST every 30 minutes. To be safe I suggest
#running every 5 minutes.

CURRENTRULE=`sudo ipfw -ST list | fgrep ” set $AFCTL_SET ” | cut -d’ ‘ -f 1 | sort -n | tail -1`

if [ 0″$CURRENTRULE” -gt “$THRESHOLD” ]; then
echo “Highest afctl rule is $CURRENTRULE, resetting afctl…”
sudo rm /var/db/af/blacklist;
sudo ipfw delete set $AFCTL_SET;
sudo /usr/libexec/afctl;
fi
[/code]

[Author]

Posts