Date: Wed, 9 Jun 2021 11:29:28 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: Re: using tables with ipfw Message-ID: <bcd67208-4bc8-d9b2-917c-c15f93b4bb5c@kicp.uchicago.edu> In-Reply-To: <24768.58462.347626.735601@jerusalem.litteratus.org> References: <24768.58462.347626.735601@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/9/21 10:55 AM, Robert Huff wrote: > > I've read the man page ... and am insufficiently enlightened. > Is there a place with clear examples on how to use tables with > ipfw? Specifically, adding entries to a table and having the new > values take effect? > I am not enlightened either, what I do is pretty simple... This is what I do when I use ipfw tables (e.g. blocking port 25 access from unwanted networks; my users will send from these networks via port 465 as authenticated users...): 1. I put unwanted networks into file /usr/local/etc/xxxx.spam like: 1.0.0.0/8 26.0.0.0/8 36.16.0.0/12 49.64.0.0/11 58.208.0.0/12 59.0.0.0/8 60.0.0.0/8 106.0.0.0/8 114.224.0.0/12 # .... 2. Then I create table, and fill it with above: ipfw table 1 create cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add 3. I have the following in my /etc/ipfw.rules: $cmd 618 deny all from 'table(1)' to [my IP here]/32 25 in via $pif (where $pif is public interface defined at the beginning of ipfw.rules) 4. To re-create on the fly table after adding new block of addresses: ipfw table 1 list ipfw table 1 flush cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add ipfw table 1 list 5. And for things to happen at the start, the /etc/ipfw.rules has the following lines close to the beginning of the file: # Create table ipfw table 1 create cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add This pretty much covers all I do with tables. Oh, I forgot one thing, you cal also add to tables what sshguard produces quite similarly, just by piping sshguard's file of IPs into separate table... I hope, this helps. Valeri > > Respectfully, > > > Robert Huff > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bcd67208-4bc8-d9b2-917c-c15f93b4bb5c>