Folks, I was discussing on the ports list a way of using OpenBGPd with Fastnetmon to implement bans, with BGP using RTBH, the way I had done this was to configure doas to allow _fastnetmon to run a ban script as root which would contain the line /sbin/route -T0 exec /usr/sbin/bgpctl network add $1/32 community $ASNUMBER:666 community
or /usr/sbin/bgpctl -s /var/run/bgpd.sock.$BGPD-RDOMAIN network add $1/32 community $ASNUMBER:666 community however the issue with the second method is that the bgpd socket permissions owner root group wheel, I have tried creating a custom socket in a directory where _fastnetmon is owner / group and that has not worked... is it useful / advisable to be able configure bgpd to set custom socket permissions in the bgpd.conf as opposed to the usual root wheel option ? Im trying to get away from giving fastnetmon root privileges for the ban script in doas.conf I was thinking perhaps a dirty workaround is to check permissions on /var/bgpd.conf.<Rdomain> and give _fastnetmon permissions on the socket a Chron job ... but I feel like I should take a shower after contemplating that .. is there a trigger mechanisim I can do after starting OpenBGPd to re-set the permissions of the socket file ? any thoughts advice welcome Thanks Tom smyth any thoughts... -- Kindest regards, Tom Smyth.
