Importing into rc.firewal rules
Roger Marquis
marquis at roble.com
Mon Nov 22 12:03:13 PST 2004
Francisco Reyes wrote:
> I have a grown list of IPs that I am "deny ip from ###.### to any".
> Infected machines, hackers, etc..
> Is there a way to have this list outside of rc.firewall and just
> read it in?
Lots of good recommendation in this thread. Our own is a customized
rc.firewall script <http://www.roble.com/docs/rc.firewall> to parse
multiple blacklist files, by IP and by port, with a little error
checking:
filterfile () {
for ip in `grep -hv '^#' $file | \
sed -e 's/^ *//' -e 's/^ *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/ .*$//' | \
sort -u | grep -v '^$'` ; do
if [ "`echo $ip | grep ^[1-9]`" = "" ] || \
[ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then
echo "ERROR: $ip is not a valid IP address"
continue
elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then
## TO DO: better whitelist parsing.
echo "ERROR: $ip is whitelisted"
continue
elif [ "$port" = "" ]; then
## Block IP if no port is specified.
$IPFW add 210 deny ip from $ip to any
elif [ $port = 53 ]; then
## Block both tcp and udp if port = DNS.
$IPFW add 211 deny tcp from $ip to any $port
$IPFW add 211 deny udp from $ip to any $port
else
## Else: block tcp (and not udp).
$IPFW add 212 deny tcp from $ip to any $port
fi
done
}
for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do
if [ ! -s $file ]; then
echo "WARNING: empty $file"
continue
elif [ "$file" = "$BLACKLIST" ]; then
port=""
else
port="`echo $file | awk -F. '{print $NF}'`"
if [ $port -lt 1 ] || [ $port -gt 65000 ]; then
echo "ERROR: invalid port: $port"
continue
fi
fi
echo "PROCESSING: ${file} port: ${port}"
filterfile $file
done
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
More information about the freebsd-security
mailing list