From owner-freebsd-questions@FreeBSD.ORG Tue Nov 25 16:59:40 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 575D616A4CE for ; Tue, 25 Nov 2003 16:59:40 -0800 (PST) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42B0343FBD for ; Tue, 25 Nov 2003 16:59:37 -0800 (PST) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hAQ0wu93048845; Wed, 26 Nov 2003 01:58:57 +0100 (CET) (envelope-from cpghost@cordula.ws) Date: Wed, 26 Nov 2003 01:58:56 +0100 (CET) Message-Id: <200311260058.hAQ0wu93048845@fw.farid-hajji.net> From: "Cordula's Web" To: grant@thenetnow.com In-reply-to: <00c001c3b3a9$9d7fa8e0$6401a8c0@grant> X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE References: <00c001c3b3a9$9d7fa8e0$6401a8c0@grant> cc: freebsd-questions@freebsd.org Subject: Re: Block IP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 00:59:40 -0000 X-List-Received-Date: Wed, 26 Nov 2003 00:59:40 -0000 > Can I block a certain IP address at the machine or interface level using > freebsd? (No at the Apache or Sendmail level). Quick and dirty fix: # route add 1.2.3.4 127.0.0.1 All ACKs to 1.2.3.4 would not be able to reach their destination, and no TCP connections could be established this way. Moreoever, no UDP or ICMP packets would reach the blocked IP address. You can also block a whole subnet this way. The real solution is to enable a firewall at the interface level, or perhaps even add an ACL on your router (if you control your upstream router). -- Cordula's Web. http://www.cordula.ws/