From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 19:00:42 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F46292B; Mon, 27 Oct 2014 19:00:42 +0000 (UTC) Received: from udns.ultimatedns.net (unknown [IPv6:2602:d1:b4d6:e600:4261:86ff:fef6:aa2a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EAF6A226; Mon, 27 Oct 2014 19:00:41 +0000 (UTC) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id s9RJ1vfI066674; Mon, 27 Oct 2014 12:01:57 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: Cristiano Deana , Gary Palmer In-Reply-To: <20141027163743.GC6851@in-addr.com> References: <20141027162433.GB6851@in-addr.com> , <20141027163743.GC6851@in-addr.com> From: "Chris H" Subject: Re: How to block IP range Date: Mon, 27 Oct 2014 12:01:57 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 19:00:42 -0000 On Mon, 27 Oct 2014 16:37:43 +0000 Gary Palmer wrote > On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote: > > On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer wrote: > > > > Hi > > > > >> For example, I need to block only 100 IPs in the range: > > >> 10.0.0.1-10.0.0.100 > > > > tables? > > > > > > you can do things like > > > > > > table persist file "/etc/pf/blocked_hosts.table" > > > block in quick log on $ext_if_ipv4 from to any > > > > I'm adding the fast way to build the file: > > > > sh -c 'for ip in 'jot 100 1 100'; do echo 10.0.0.$ip >> > > /etc/pf/blocked_hosts.table; done' > > You can also make it a bit more efficient and use a few CIDR networks. To > cover 10.0.0.1-10.0.0.100 you would need. > > 10.0.0.1/32 > 10.0.0.2/31 > 10.0.0.4/30 > 10.0.0.8/29 > 10.0.0.16/28 > 10.0.0.32/27 > 10.0.0.64/27 > 10.0.0.96/30 > 10.0.0.100/32 > > I used an ancient perl tool called 'aggis' to get the above. There are > probably more modern tools around. A search against ports, or at FreshPorts for cidr will give you quite a few useful utils for calculating /xx (CIDR) ranges. ports/net-mgmt/cidr is just one example. HTH --Chris > > Regards, > > Gary > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"