From owner-freebsd-bugs@FreeBSD.ORG Fri Feb 22 10:10:02 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 727AA82A for ; Fri, 22 Feb 2013 10:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 58E7A30B for ; Fri, 22 Feb 2013 10:10:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1MAA2Vn082127 for ; Fri, 22 Feb 2013 10:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1MAA2l7082126; Fri, 22 Feb 2013 10:10:02 GMT (envelope-from gnats) Resent-Date: Fri, 22 Feb 2013 10:10:02 GMT Resent-Message-Id: <201302221010.r1MAA2l7082126@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Noor Dawod Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B8292750 for ; Fri, 22 Feb 2013 09:59:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 92FFD2B1 for ; Fri, 22 Feb 2013 09:59:58 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r1M9xw5I084740 for ; Fri, 22 Feb 2013 09:59:58 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r1M9xwXg084739; Fri, 22 Feb 2013 09:59:58 GMT (envelope-from nobody) Message-Id: <201302220959.r1M9xwXg084739@red.freebsd.org> Date: Fri, 22 Feb 2013 09:59:58 GMT From: Noor Dawod To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: misc/176344: Add support for firewall deny lists (workstation type) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2013 10:10:02 -0000 >Number: 176344 >Category: misc >Synopsis: Add support for firewall deny lists (workstation type) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Feb 22 10:10:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Noor Dawod >Release: 9.1-PRERELEASE Wed Nov 21 UTC 2012 >Organization: >Environment: FreeBSD hidden 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Wed Nov 21 08:36:35 UTC 2012 root@hidden:/usr/obj/usr/src/sys/CUSTOM amd64 >Description: ipfw has a handly configuration section in rc.conf to ease firewalling. In the 'workstation' type, however, there is a way to allow full access for selected clients, but no way for denying it for others. The attached patches would add that support. Since lists of IP's could grow big, I've opted to using files to host the list of addresses, as opposed to writing the list in rc.conf. >How-To-Repeat: >Fix: Patch attached with submission follows: --- /etc/defaults/rc.conf 2013-02-22 09:37:36.000000000 +0000 +++ /etc/defaults/rc.conf-new 2013-02-22 09:37:44.000000000 +0000 @@ -153,6 +153,11 @@ # firewall. firewall_trusted="" # List of IPs which have full access to this # host for "workstation" firewall. +firewall_denied="" # List of files containing IPv4 and/or IPv6 + # addresses that have no access to this host. +firewall_denied_rule="550" # ipfw rule number used to host all rules + # denying access to hosts listed in the files + # in $firewall_denied. firewall_logdeny="NO" # Set to YES to log default denied incoming # packets for "workstation" firewall. firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports --- /etc/rc.firewall 2012-11-21 09:08:57.000000000 +0000 +++ /etc/rc.firewall-new 2013-02-22 09:40:30.000000000 +0000 @@ -433,6 +433,12 @@ # This option can seriously degrade # the level of protection provided by # the firewall. + # firewall_denied: List of files containing IPv4 and/or + # IPv6 addresses that have no access + # to this host. + # firewall_denied_rule: ipfw rule number used to host all + # rules denying access to hosts listed + # in the files in $firewall_denied. # firewall_logdeny: Boolean (YES/NO) specifying if the # default denied packets should be # logged (in /var/log/security). @@ -498,6 +504,31 @@ ${fwcmd} add pass ip from $i to me done + # If specified, deny hosts from reaching this machine. + for i in ${firewall_denied} ; do + # check that file exists first. + if [ -f $i ]; then + oldIFS=$IFS + IFS=" +" + # Go over all IPs listed in the file. + for ip in `cat $i` ; do + # Block IP if first character isn't a dash. + i=${ip%${ip#?}} + if [ $i != "#" ]; then + # Cut string when first space is found. + # Practical for Postfix files and geographic + # CIDR's obtained from online sources. + ip=`echo $ip | cut -d " " -f 1` + + # Add block rule for target IP. + ${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me + fi + done + IFS=$oldIFS + fi + done + ${fwcmd} add 65000 count ip from any to any # Drop packets to ports where we don't want logging >Release-Note: >Audit-Trail: >Unformatted: