[Fwd: Re: Importing into rc.firewal rules]
Ciprian BADESCU
cbadescu at aspc.cs.utt.ro
Sun Nov 21 03:16:54 PST 2004
Hi,
> On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:
>> I have a grown list of IPs that I am "deny ip from ###.### to any".
Infected machines, hackers, etc..
>>
>> Is there a way to have this list outside of rc.firewall and just read
it in?
>
from man ipfw
LOOKUP TABLES
Lookup tables are useful to handle large sparse address sets, typically
from a hundred to several thousands of entries. There could be 128
dif- ferent lookup tables, numbered 0 to 127.
Each entry is represented by an addr[/masklen] and will match all
addresses with base addr (specified as a dotted quad or a hostname) and
mask width of masklen bits. If masklen is not specified, it defaults
to 32. When looking up an IP address in a table, the most specific
entry will match. Associated with each entry is a 32-bit unsigned
value, which can optionally be checked by a rule matching code. When
adding an entry, if value is not specified, it defaults to 0.
An entry can be added to a table (add), removed from a table (delete),
a table can be examined (list) or flushed (flush).
Internally, each table is stored in a Radix tree, the same way as the
routing table (see route(4)).
,
and here is an example:
${fwcmd} table 0 add 82.77.156.42
${fwcmd} add deny all from table\(0\) to any via ${oif}
${fwcmd} add deny all from any to table\(0\) via ${oif}
# I know, second rule, .... it's paranoic
To set the table you could use a file /etc/badboys
and a short shell script executed before the table denying rules:
for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done;
----
Ciprian Badescu
More information about the freebsd-security
mailing list