From owner-freebsd-security@FreeBSD.ORG Mon Nov 22 11:28:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03C1916A4CE for ; Mon, 22 Nov 2004 11:28:07 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C98F43D1D for ; Mon, 22 Nov 2004 11:28:05 +0000 (GMT) (envelope-from keramida@linux.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])iAMBS1tK010945; Mon, 22 Nov 2004 13:28:01 +0200 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) iAMBRt5k001705; Mon, 22 Nov 2004 13:27:55 +0200 (EET) (envelope-from keramida@linux.gr) Received: (from keramida@localhost)iAMBRo8o001704; Mon, 22 Nov 2004 13:27:50 +0200 (EET) (envelope-from keramida@linux.gr) Date: Mon, 22 Nov 2004 13:27:50 +0200 From: Giorgos Keramidas To: Ciprian BADESCU Message-ID: <20041122112750.GA994@orion.daedalusnetworks.priv> References: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: Importing into rc.firewal rules] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 11:28:07 -0000 On 2004-11-21 13:16, Ciprian BADESCU wrote: > > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > >> I have a grown list of IPs that I am "deny ip from ###.### to any". > >> Infected machines, hackers, etc.. > >> > >> Is there a way to have this list outside of rc.firewall and just > >> read it in? > > from man ipfw > > LOOKUP TABLES > Lookup tables are useful to handle large sparse address sets, typically > from a hundred to several thousands of entries. There could be 128 > different lookup tables, numbered 0 to 127. > [...] here is an example: [...] > To set the table you could use a file /etc/badboys > and a short shell script executed before the table denying rules: > for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done; If the table is going to grow at least a few thousand entries you might hit the command line length limit. Try something like this instead: while read ipaddr ;do ${fwcmd} table 0 add "${ipaddr}" done < /etc/badhosts Getting the lines one by one can be bit slow but it's more flexible. Another good idea may be to use a custom awk script to parse the badhosts file and ``generate'' sh(1) code that is run to populate the table: badtable=0 fwcmcd="ipfw -q" awk -v fwcmd="${fwcmd}" -v tab="${badtable}" \ '! /^[ ]*#/ { printf "%s table %d add %s", fwcmd, tab, $1 }' | sh This is probably going to be a bit faster than while read ... - Giorgos