From owner-freebsd-pf@FreeBSD.ORG  Mon Oct 27 19:00:42 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2F46292B;
 Mon, 27 Oct 2014 19:00:42 +0000 (UTC)
Received: from udns.ultimatedns.net (unknown
 [IPv6:2602:d1:b4d6:e600:4261:86ff:fef6:aa2a])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id EAF6A226;
 Mon, 27 Oct 2014 19:00:41 +0000 (UTC)
Received: from ultimatedns.net (localhost [127.0.0.1])
 by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id s9RJ1vfI066674;
 Mon, 27 Oct 2014 12:01:57 -0700 (PDT)
 (envelope-from bsd-lists@bsdforge.com)
To: Cristiano Deana <cristiano.deana@gmail.com>,
 Gary Palmer <gpalmer@freebsd.org>
In-Reply-To: <20141027163743.GC6851@in-addr.com>
References: <CBA35483CE5B4D4B804BF128A77A61650E9A16A7@HIKAWSEXMB02.ad.harman.com>
 <20141027162433.GB6851@in-addr.com>
 <CAO82ECEWOYTFSqHn9q1BzKBazvJgm_9atbh-EXfVSQamN4Pi1g@mail.gmail.com>,
 <20141027163743.GC6851@in-addr.com>
From: "Chris H" <bsd-lists@bsdforge.com>
Subject: Re: How to block IP range
Date: Mon, 27 Oct 2014 12:01:57 -0700
Content-Type: text/plain; charset=UTF-8; format=fixed
MIME-Version: 1.0
Message-id: <b99cf0df1008e81bc19808548f1f3b88@ultimatedns.net>
Content-Transfer-Encoding: 8bit
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 19:00:42 -0000

On Mon, 27 Oct 2014 16:37:43 +0000 Gary Palmer <gpalmer@freebsd.org> wrote

> On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote:
> > On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer <gpalmer@freebsd.org> wrote:
> > 
> > Hi
> > 
> > >> For example, I need to block only 100 IPs in the range:
> > >> 10.0.0.1-10.0.0.100 > 
> > > tables?
> > >
> > > you can do things like
> > >
> > > table <blocked_hosts> persist file "/etc/pf/blocked_hosts.table"
> > > block in quick log on $ext_if_ipv4 from <blocked_hosts> to any
> > 
> > I'm adding the fast way to build the file:
> > 
> > sh -c 'for ip in 'jot 100 1 100'; do echo 10.0.0.$ip >>
> > /etc/pf/blocked_hosts.table; done'
> 
> You can also make it a bit more efficient and use a few CIDR networks.  To
> cover 10.0.0.1-10.0.0.100 you would need.
> 
>           10.0.0.1/32
>           10.0.0.2/31
>           10.0.0.4/30
>           10.0.0.8/29
>          10.0.0.16/28
>          10.0.0.32/27
>          10.0.0.64/27
>          10.0.0.96/30
>         10.0.0.100/32
> 
> I used an ancient perl tool called 'aggis' to get the above.  There are
> probably more modern tools around.
A search against ports, or at FreshPorts for cidr will give you quite
a few useful utils for calculating /xx (CIDR) ranges. ports/net-mgmt/cidr
is just one example.

HTH

--Chris

> 
> Regards,
> 
> Gary
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"