Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crowdsec not showing blocks in logs after update to 25.1 #4511

Open
julsssark opened this issue Jan 30, 2025 · 7 comments
Open

Crowdsec not showing blocks in logs after update to 25.1 #4511

julsssark opened this issue Jan 30, 2025 · 7 comments

Comments

@julsssark
Copy link

julsssark commented Jan 30, 2025
edited
Loading

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
Crowdsec was working fine under 24.7.12. After upgrading to 25.1, Crowdsec block rules are not showing up in my firewall syslog nor are they showing up in the live view. Crowdsec and firewall bouncer status both have a green check. I just saw an Alert that an IP was banned a few hours ago. Perhaps the blocks are still happening but they are just not being reported/captured by the logs?

To Reproduce
Steps to reproduce the behavior:

  1. Confirm Crowdsec is running under 24.7.12 and blocks are visible in the live view.
  2. Upgrade to 25.1
  3. Check live view and note that Crowdsec blocks are no longer being reported

Expected behavior
Syslogs and live view should display the Crowdsec rule/name for the Crowdsec blocked traffic

OPNsense 25.1 (amd64)
Protectli FW4B
@Monviech
Copy link
Member

I saw this in my rules.debug log today, maybe related

> #debug:Unable to convert address, see from for details
> # block in log quick inet from "$crowdsec_blacklists" to {any} tag crowdsec label "26f03fe91d0ddd12bcd5b3afdab61031" # CrowdSec (IPv4)
> #debug:Unable to convert address, see from for details
> # block in log quick inet6 from "$crowdsec6_blacklists" to {any} tag crowdsec label "bac4a0aff3ee62fcf2921b0f0011628d" # CrowdSec (IPv6)

@AdSchellevis
Copy link
Member

likely fixed with the removal of the dollar sign in front of the from

plugins/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc

Line 55 in 49467c3

'from' => '$crowdsec_blacklists', # $ to reference an alias

plugins/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc

Line 71 in 49467c3

'from' => '$crowdsec6_blacklists', # $ to reference an alias

@cookiemonsteruk
Copy link

Nice find @Monviech @AdSchellevis
Only trouble with the Crowdsec plugin is that to my knowledge, the crowdsec team might not be alerted to these reports.
They might not be automatically alerted.
I'm tagging @mmetc @buixor . Hopefully that will help.

@TommyC81
Copy link

TommyC81 commented Feb 3, 2025

Having the same issue.

@julsssark
Copy link
Author

julsssark commented Feb 3, 2025
edited
Loading

As someone else suggested on the OPNsense forum, a workaround is to create a manual firewall rule on the WAN interface that blocks the CrowdSec list (i.e., re-create the auto-generated floating CrowdSec rule on your WAN interface).

@mmetc mmetc mentioned this issue Feb 3, 2025
Merged
@mmetc
Copy link
Contributor

mmetc commented Feb 4, 2025

This works too, until the PR is merged and released

# sed -E -i .bak 's/\$(crowdsec6?_blacklists)/<\1>/' /usr/local/etc/inc/plugins.inc.d/crowdsec.inc

@julsssark
Copy link
Author

@mmetc Thank you for creating the PR! I applied your command line fix and CrowdSec is happy again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@TommyC81 @cookiemonsteruk @AdSchellevis @julsssark @Monviech @mmetc