Blacklist IP file for IPFW?

Andreas X hamdi20193d at gmail.com
Mon Feb 17 16:47:45 UTC 2020 

Hi again,

The rule:  "65500   0     0 deny ip from table(10) to any"  was almost the
last rule and I suspected it, therefore I wanted to move the rule upper,
changed the command:

${FWCMD} 00350 add deny all from table\(10\) to any

(adding rule number 00350), now ipfw successfully blocks the IPs in the
table.
My question is, why it didn't block the IPs when it had rule number 65500?
(It might be the last rules, but still, it has "deny" command..shouldn't it
do the job?)

Thank you.





Andreas X <hamdi20193d at gmail.com>, 17 Şub 2020 Pzt, 18:54 tarihinde şunu
yazdı:

> Dear Tim,
>
> I applied your suggestion, however it seems IPFW doesn't ban the IP
> addresses in the list. (I've added a useless VPS IP of mine in the list, to
> test it, but I could still ping the server from that IP)
>
> Here's my script as per your suggestion:
>
> #!/bin/sh
> FWCMD="ipfw -q"
>
> LISTX=/usr/local/etc/fw/banlist.txt
>
> ipfw table 10 create
> ipfw table 10 flush
>
> for addr in `cat ${LISTX}`
>   do
>     ${FWCMD} table 10 add ${addr}
>   done
>
> ${FWCMD} add deny all from table\(10\) to any
>
>
> And ipfw show | grep "table" command outputs:
> "65500   0     0 deny ip from table(10) to any" so it seems the IPs are
> added. But none of them are blocked.
>
> I restarted IPFW too, and re-run the script again, no solution.
>
> Any idea?
>
> Thank you.
>
>
> Tim Daneliuk <tundra at tundraware.com>, 17 Şub 2020 Pzt, 17:51 tarihinde
> şunu yazdı:
>
>> On 2/17/20 8:36 AM, Andreas X wrote:
>> <SNIP>
>>
>> > The list dramatically grows each week. How may I create a text file so
>> that
>> > IPFW would fetch these IPs from there directly? What's the simplest way
>> to
>> > do this please?
>>
>>
>> Looping through a file and running an ipfw command each time gets super
>> slow as
>> the list gets long.  ipfw tables are the better way to do this:
>>
>>   FWCMD="ipfw -q"   # Firewall command
>>   OIF=em0           # NIC to outside world
>>
>>   # Address spaces we want blocked entirely are listed in this file
>>   NAUGHTYFILE=/usr/local/etc/firewall/naughtyIPs
>>
>>   # Use ipfw tables for efficiency
>>
>>   ipfw table 10 flush
>>   for addr in `cat ${NAUGHTYFILE}`
>>   do
>>     ${FWCMD} table 10 add ${addr}
>>   done
>>
>>   ${FWCMD} add deny all from table\(10\) to any via ${OIF}
>>
>> The "naughty" file can have specific IPs or CIDR blocks in it, one
>> per line:
>>
>>   95.87.0.0/18
>>   95.87.192.0/18
>>   96.246.220.34
>>   96.30.64.0/18
>>   98.143.148.107
>>
>>
>>
>>
>> HTH,
>>
>> ----------------------------------------------------------------------------
>> Tim Daneliuk     tundra at tundraware.com
>> PGP Key:         http://www.tundraware.com/PGP/
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>

More information about the freebsd-questions mailing list