From owner-freebsd-questions@freebsd.org Wed Jun 9 16:29:36 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A9359650558 for ; Wed, 9 Jun 2021 16:29:36 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4G0Xcv39hwz4sN4 for ; Wed, 9 Jun 2021 16:29:35 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id A6F914E672 for ; Wed, 9 Jun 2021 11:29:28 -0500 (CDT) Subject: Re: using tables with ipfw To: freebsd-questions@freebsd.org References: <24768.58462.347626.735601@jerusalem.litteratus.org> From: Valeri Galtsev Message-ID: Date: Wed, 9 Jun 2021 11:29:28 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: <24768.58462.347626.735601@jerusalem.litteratus.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4G0Xcv39hwz4sN4 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [1.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[128.135.20.70:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[128.135.20.70:from:127.0.2.255]; NEURAL_SPAM_SHORT(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2021 16:29:36 -0000 On 6/9/21 10:55 AM, Robert Huff wrote: > > I've read the man page ... and am insufficiently enlightened. > Is there a place with clear examples on how to use tables with > ipfw? Specifically, adding entries to a table and having the new > values take effect? > I am not enlightened either, what I do is pretty simple... This is what I do when I use ipfw tables (e.g. blocking port 25 access from unwanted networks; my users will send from these networks via port 465 as authenticated users...): 1. I put unwanted networks into file /usr/local/etc/xxxx.spam like: 1.0.0.0/8 26.0.0.0/8 36.16.0.0/12 49.64.0.0/11 58.208.0.0/12 59.0.0.0/8 60.0.0.0/8 106.0.0.0/8 114.224.0.0/12 # .... 2. Then I create table, and fill it with above: ipfw table 1 create cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add 3. I have the following in my /etc/ipfw.rules: $cmd 618 deny all from 'table(1)' to [my IP here]/32 25 in via $pif (where $pif is public interface defined at the beginning of ipfw.rules) 4. To re-create on the fly table after adding new block of addresses: ipfw table 1 list ipfw table 1 flush cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add ipfw table 1 list 5. And for things to happen at the start, the /etc/ipfw.rules has the following lines close to the beginning of the file: # Create table ipfw table 1 create cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add This pretty much covers all I do with tables. Oh, I forgot one thing, you cal also add to tables what sshguard produces quite similarly, just by piping sshguard's file of IPs into separate table... I hope, this helps. Valeri > > Respectfully, > > > Robert Huff > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++