Importing into rc.firewal rules

Ciprian BADESCU cbadescu at aspc.cs.utt.ro
Wed Nov 24 01:21:13 PST 2004 

> Francisco Reyes wrote:
>> I have a grown list of IPs that I am "deny ip from ###.### to any".
>> Infected machines, hackers, etc..
>> Is there a way to have this list outside of rc.firewall and just
>> read it in?

I've got another ideea (the table structure is faster, so it ahould be
used) of what should be put in /etc/rc.firewall:

`awk '{print "${ipfw} table n add $0"}' /etc/badusers.txt`.

just be sure that awk is in yout PATH, use use absolute path.


>
> Lots of good recommendation in this thread.  Our own is a customized
> rc.firewall script <http://www.roble.com/docs/rc.firewall> to parse
> multiple blacklist files, by IP and by port, with a little error
> checking:
>
>   filterfile () {
>       for ip in `grep -hv '^#' $file | \
>       sed -e 's/^ *//' -e 's/^    *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/
>   .*$//' | \
>       sort -u | grep -v '^$'` ; do
>           if [ "`echo $ip | grep ^[1-9]`" = "" ] || \
>              [ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then
>               echo "ERROR: $ip is not a valid IP address"
>               continue
>           elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then
>               ## TO DO: better whitelist parsing.
>               echo "ERROR: $ip is whitelisted"
>               continue
>           elif [ "$port" = "" ]; then
>               ## Block IP if no port is specified.
>               $IPFW add 210 deny ip from $ip to any
>           elif [ $port = 53 ]; then
>               ## Block both tcp and udp if port = DNS.
>               $IPFW add 211 deny tcp from $ip to any $port
>               $IPFW add 211 deny udp from $ip to any $port
>           else
>               ## Else: block tcp (and not udp).
>               $IPFW add 212 deny tcp from $ip to any $port
>           fi
>       done
>   }
>   for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do
>       if [ ! -s $file ]; then
>           echo "WARNING: empty $file"
>           continue
>       elif [ "$file" = "$BLACKLIST" ]; then
>           port=""
>       else
>           port="`echo $file | awk -F. '{print $NF}'`"
>           if [ $port -lt 1 ] || [ $port -gt 65000 ]; then
>               echo "ERROR: invalid port: $port"
>               continue
>           fi
>       fi
>       echo "PROCESSING: ${file} port: ${port}"
>       filterfile $file
>   done
>
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list