From owner-freebsd-questions@freebsd.org Thu Aug 26 21:58:26 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB916671F8E for ; Thu, 26 Aug 2021 21:58:26 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GwcDK3rmJz539T for ; Thu, 26 Aug 2021 21:58:25 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lf1-x12e.google.com with SMTP id j4so9914069lfg.9 for ; Thu, 26 Aug 2021 14:58:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6g26Bp/tvLOwAyYb5vI4H5J87RSDe22Y32Evy92iUss=; b=NoqXnA6r3FCvS5N8xhdmGpti/uPmwRhv9cbgiRx2s0C7hRB5Qxyi20Dlwd6KxPbPVO gzOPgOIoSC4+V0WILypANTUYLuzyfVcrXa9YM2ZJJzVpj2UUVo5cLadj3wEQ8geLBfAO Fln2U0lbv/gDZO1lhYzIelMiJO34hRrr+O4xp4DqexcrwJ/dtTICGKSZzqAX/dP1NJ9a 9KCD1hxkTDROYDyln/bUK4Yp+hGXWw8A+a2gfOjJBFCGpa69nuEwZI4BNngd1OEDB9mO xnuJH/pN+N3VCr4CcGEEdaJg729hJh9KcSvx3WlaA62ulInSVfe5N16HX3qxQMFGRUgs 17yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6g26Bp/tvLOwAyYb5vI4H5J87RSDe22Y32Evy92iUss=; b=TMNsiaq0lGCnCal5f4tn++Ywym8EnGh6RrcMEIV97bmybTKhHfQUNJSminp2l41wu1 dvWzfT+yYrqdI5VEC+CJmY8gV3Bizdb+3/BDeseL6e0bAqODB6H7kgZxqH+w/bOPSS4f MXOtecLk2+dBPXudWbZUJE2yQAwHGHf2M2f4/VonoUu+C1o2Oagl+OGIHoJgdU4q7u4J S56JT64jPqxi99YocMCe74+SXVAs+OnTLWuK5Cf45lntGFnh9fxq7Dov7noxyzcO0d2F OERfYe5DjLI+R6jk/FQsC1F6LDfDWxAoTQ3lusmvwFfaQL0SfJ0QYNUwbo0489xCajSI hCIw== X-Gm-Message-State: AOAM533VhqDif8NxneMbU5diUwlTnq+28Okkm/GpMMARO4pPweF2uQUM yLDaO5Ejq7nGfMIGu9Z7GNgYIN+1UEySXZwQ7M/lQbEWKnB+C2ve X-Google-Smtp-Source: ABdhPJyjwW6mw6vD2/5Dj/lo5R91ZkiFtxqlvAHJTzJPvMZ+QpKdEJfPWOx2BhNWCZaVuhmoKGo3KRZRevywCEr/FjA= X-Received: by 2002:a19:c201:: with SMTP id l1mr4326742lfc.306.1630015103510; Thu, 26 Aug 2021 14:58:23 -0700 (PDT) MIME-Version: 1.0 References: <9e6cd8e2-a06e-468b-7245-d5ff13309763@tundraware.com> <25ed1e6f-fe69-5b3b-c459-00a115cfbb5e@tundraware.com> In-Reply-To: <25ed1e6f-fe69-5b3b-c459-00a115cfbb5e@tundraware.com> From: Michael Sierchio Date: Thu, 26 Aug 2021 14:57:47 -0700 Message-ID: Subject: Re: ipfw Table Organization To: FreeBSD Mailing List X-Rspamd-Queue-Id: 4GwcDK3rmJz539T X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=NoqXnA6r; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::12e) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [-2.26 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; NEURAL_HAM_SHORT(-0.96)[-0.956]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::12e:from]; HTTP_TO_IP(1.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2021 21:58:26 -0000 On Thu, Aug 26, 2021 at 2:12 PM Tim Daneliuk via freebsd-questions < freebsd-questions@freebsd.org> wrote: > > > As I thought about this, it led to a followup question. Imagine > I have populated a table and then run this command: > > ipfw add deny all from table\(10\) to any via em0 > > > If I then later update the contents of table 10, will those changes go li= ve > on the firewall, or is the binding of table content to firewall rules onl= y > relevant at the time the "add deny" is invoked? > The answer is an unequivocal yes. You can start with an empty table, and keep modifying it on the basis of events, on a cronjob, etc. The rule does the table lookup at the time of execution, and the table contents can be changing all the time. If you have a blocklist, have a whitelist. Not kidding. For example, so many useful things don't work in AWS if you block 169.254.0.0/16 =E2=80=93 169.254.169.254 is = metadata service, .253 is DNS, .123 is NTP, etc. Yes. I recommend you write that as two rules so it doesn't get matched 4 times. ;-) ipfw add deny ip from table\(10\) to any in recv em0 # warn internal hosts ipfw add unreach filter-prohib from any to table\(10\) out xmit em0 The answer is an unequivocal yes. You can start with an empty table, and keep modifying it on the basis of events, on a cronjob, etc. The rule does the table lookup at the time of execution, and the table contents can be changing all the time. I fetch the full bogons list hourly. To change the table contents atomically, swap the tables =E2=80=93 with I d= o this: Assumptions: - For every table X, there is a table named X-alt. The have the same contents except when being changed. - The database consists of .txt files in /var/db/ipfw/X/cidr (there is a /var/db/ipfw/X/src, more on that later). - The .txt files contain entries like 223.247.130.195/32 4295 223.247.153.244/32 4295 223.247.194.119/32 4295 2001:558:6045:52:f093:7192:8eb6:7cb7/128 4295 2001:912:800:212::61/128 4295 (the table arg says what file it's from, which may mean a particular blocklist) Script: #!/bin/sh PATH=3D/etc/ipfw:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sb= in export PATH BASEDIR=3D"/var/db/ipfw" if [ $# -lt 1 ]; then echo "usage: ipfw-table-update " exit 64 fi LIST=3D$1 ; export LIST IPFW=3D"/sbin/ipfw -q" ; export IPFW ###########################################################################= ##### # GUSTY WINDS MAY EXIST # $IPFW table ${LIST} create >/dev/null 2>&1 $IPFW table ${LIST}-alt create >/dev/null 2>&1 cd ${BASEDIR}/${LIST}/cidr ###########################################################################= ##### # combine lists # cat *.txt | awk '/^[^ #-]/ { print $1, $2 }' > .X ###########################################################################= ##### # split into files of no more than 8192 entries # PFX=3D".${LIST}-tmp" ; export PFX split -l 8192 .X $PFX ###########################################################################= ##### # swap table with table-alt, flush alt, load alt # $IPFW table ${LIST} swap ${LIST}-alt ; $IPFW table ${LIST}-alt flush for f in ${PFX}* ; do $IPFW table ${LIST}-alt add `cat $f` done ###########################################################################= ##### # repeat to load other table # $IPFW table ${LIST} swap ${LIST}-alt ; $IPFW table ${LIST}-alt flush for f in ${PFX}* ; do $IPFW table ${LIST}-alt add `cat $f` done rm -f ${PFX}* .X