From owner-freebsd-security@FreeBSD.ORG  Mon Nov 22 20:03:13 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 67B5716A4CE
	for <freebsd-security@freebsd.org>;
	Mon, 22 Nov 2004 20:03:13 +0000 (GMT)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BBBA43D1F
	for <freebsd-security@freebsd.org>;
	Mon, 22 Nov 2004 20:03:13 +0000 (GMT)
	(envelope-from marquis@roble.com)
Received: from localhost (localhost [127.0.0.1])
	by mx5.roble.com (Postfix) with ESMTP id 708B52BC0F
	for <freebsd-security@freebsd.org>;
	Mon, 22 Nov 2004 12:03:12 -0800 (PST)
Date: Mon, 22 Nov 2004 12:03:12 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20041122120146.5292416A4CF@hub.freebsd.org>
References: <20041122120146.5292416A4CF@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20041122200312.708B52BC0F@mx5.roble.com>
Subject: Re: Importing into rc.firewal rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2004 20:03:13 -0000

Francisco Reyes wrote:
> I have a grown list of IPs that I am "deny ip from ###.### to any".
> Infected machines, hackers, etc..
> Is there a way to have this list outside of rc.firewall and just
> read it in?

Lots of good recommendation in this thread.  Our own is a customized
rc.firewall script <http://www.roble.com/docs/rc.firewall> to parse
multiple blacklist files, by IP and by port, with a little error
checking:

  filterfile () {
      for ip in `grep -hv '^#' $file | \
      sed -e 's/^ *//' -e 's/^    *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/    .*$//' | \
      sort -u | grep -v '^$'` ; do
          if [ "`echo $ip | grep ^[1-9]`" = "" ] || \
             [ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then
              echo "ERROR: $ip is not a valid IP address"
              continue
          elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then
              ## TO DO: better whitelist parsing.
              echo "ERROR: $ip is whitelisted"
              continue
          elif [ "$port" = "" ]; then
              ## Block IP if no port is specified.
              $IPFW add 210 deny ip from $ip to any
          elif [ $port = 53 ]; then
              ## Block both tcp and udp if port = DNS.
              $IPFW add 211 deny tcp from $ip to any $port
              $IPFW add 211 deny udp from $ip to any $port
          else
              ## Else: block tcp (and not udp).
              $IPFW add 212 deny tcp from $ip to any $port
          fi
      done
  }
  for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do
      if [ ! -s $file ]; then
          echo "WARNING: empty $file"
          continue
      elif [ "$file" = "$BLACKLIST" ]; then
          port=""
      else
          port="`echo $file | awk -F. '{print $NF}'`"
          if [ $port -lt 1 ] || [ $port -gt 65000 ]; then
              echo "ERROR: invalid port: $port"
              continue
          fi
      fi
      echo "PROCESSING: ${file} port: ${port}"
      filterfile $file
  done

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/