From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 04:22:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 601D216A4CF for ; Sun, 21 Nov 2004 04:22:33 +0000 (GMT) Received: from pop-a065d19.pas.sa.earthlink.net (pop-a065d19.pas.sa.earthlink.net [207.217.121.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9B043D41 for ; Sun, 21 Nov 2004 04:22:33 +0000 (GMT) (envelope-from andrei@kableu.com) Received: from h-66-167-207-212.snvacaid.dynamic.covad.net ([66.167.207.212] helo=root.kableu.com) by pop-a065d19.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CVjFA-00043f-00 for freebsd-security@freebsd.org; Sat, 20 Nov 2004 20:22:32 -0800 Received: by root.kableu.com (Postfix, from userid 1001) id C0AD35C6F; Sat, 20 Nov 2004 20:22:49 -0800 (PST) Date: Sat, 20 Nov 2004 20:22:49 -0800 From: Andrew Konstantinov To: freebsd-security@freebsd.org Message-ID: <20041121042249.GA37865@root.kableu.com> References: <20041120133048.N7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20041120133048.N7533@zoraida.natserv.net> User-Agent: Mutt/1.4.2.1i Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 04:22:33 -0000 --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. >=20 > Is there a way to have this list outside of rc.firewall and just read it= =20 > in? I don't know how strong your bond with ipfw is, but it seems like pf has exactly what you need. For example: #--- excerpts from pf documentation --- Tables can also be populated from text files containing a list of IP addres= ses and networks: table persist file "/etc/spammers" block in on fxp0 from to any Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the table created above: # pfctl -t spammers -T add 218.70.0.0/16 #--- excerpts from pf documentation --- If ipfw isn't a tradition in your family, you might want to consider switch= ing to pf for those specific needs. :) Andrew --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBoBgZ5Jhyz2/cFigRAlxtAKD8FAhpdXFrs6Y33M6u8WU3iq0jAQCgzkVZ ec5M8IeYwzsQFlu7Ts833XY= =Ch70 -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/--