Date: Thu, 26 Aug 2021 14:57:47 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: ipfw Table Organization Message-ID: <CAHu1Y73jPy_6MAsFT3CVSyQoK1cJwv=0s0DFVG-oAJOS2nrr2g@mail.gmail.com> In-Reply-To: <25ed1e6f-fe69-5b3b-c459-00a115cfbb5e@tundraware.com> References: <9e6cd8e2-a06e-468b-7245-d5ff13309763@tundraware.com> <CAHu1Y71uhG4WdfWOb-nR=DqNgr-pMOkKBTWZBdfp8NCeQSLHRw@mail.gmail.com> <25ed1e6f-fe69-5b3b-c459-00a115cfbb5e@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 26, 2021 at 2:12 PM Tim Daneliuk via freebsd-questions < freebsd-questions@freebsd.org> wrote: > > > As I thought about this, it led to a followup question. Imagine > I have populated a table and then run this command: > > ipfw add deny all from table\(10\) to any via em0 > > > If I then later update the contents of table 10, will those changes go li= ve > on the firewall, or is the binding of table content to firewall rules onl= y > relevant at the time the "add deny" is invoked? > The answer is an unequivocal yes. You can start with an empty table, and keep modifying it on the basis of events, on a cronjob, etc. The rule does the table lookup at the time of execution, and the table contents can be changing all the time. If you have a blocklist, have a whitelist. Not kidding. For example, so many useful things don't work in AWS if you block 169.254.0.0/16 =E2=80=93 169.254.169.254 is = metadata service, .253 is DNS, .123 is NTP, etc. Yes. I recommend you write that as two rules so it doesn't get matched 4 times. ;-) ipfw add deny ip from table\(10\) to any in recv em0 # warn internal hosts ipfw add unreach filter-prohib from any to table\(10\) out xmit em0 The answer is an unequivocal yes. You can start with an empty table, and keep modifying it on the basis of events, on a cronjob, etc. The rule does the table lookup at the time of execution, and the table contents can be changing all the time. I fetch the full bogons list hourly. To change the table contents atomically, swap the tables =E2=80=93 with I d= o this: Assumptions: - For every table X, there is a table named X-alt. The have the same contents except when being changed. - The database consists of .txt files in /var/db/ipfw/X/cidr (there is a /var/db/ipfw/X/src, more on that later). - The .txt files contain entries like 223.247.130.195/32 4295 223.247.153.244/32 4295 223.247.194.119/32 4295 2001:558:6045:52:f093:7192:8eb6:7cb7/128 4295 2001:912:800:212::61/128 4295 (the table arg says what file it's from, which may mean a particular blocklist) Script: #!/bin/sh PATH=3D/etc/ipfw:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sb= in export PATH BASEDIR=3D"/var/db/ipfw" if [ $# -lt 1 ]; then echo "usage: ipfw-table-update <list-name>" exit 64 fi LIST=3D$1 ; export LIST IPFW=3D"/sbin/ipfw -q" ; export IPFW ###########################################################################= ##### # GUSTY WINDS MAY EXIST # $IPFW table ${LIST} create >/dev/null 2>&1 $IPFW table ${LIST}-alt create >/dev/null 2>&1 cd ${BASEDIR}/${LIST}/cidr ###########################################################################= ##### # combine lists # cat *.txt | awk '/^[^ #-]/ { print $1, $2 }' > .X ###########################################################################= ##### # split into files of no more than 8192 entries # PFX=3D".${LIST}-tmp" ; export PFX split -l 8192 .X $PFX ###########################################################################= ##### # swap table with table-alt, flush alt, load alt # $IPFW table ${LIST} swap ${LIST}-alt ; $IPFW table ${LIST}-alt flush for f in ${PFX}* ; do $IPFW table ${LIST}-alt add `cat $f` done ###########################################################################= ##### # repeat to load other table # $IPFW table ${LIST} swap ${LIST}-alt ; $IPFW table ${LIST}-alt flush for f in ${PFX}* ; do $IPFW table ${LIST}-alt add `cat $f` done rm -f ${PFX}* .X
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73jPy_6MAsFT3CVSyQoK1cJwv=0s0DFVG-oAJOS2nrr2g>