Date: Tue, 18 Feb 2020 15:45:38 +0300 From: Andreas X <hamdi20193d@gmail.com> To: =?UTF-8?Q?Trond_Endrest=C3=B8l?= <trond.endrestol@ximalas.info> Cc: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Blacklist IP file for IPFW? Message-ID: <CAEW8WPuirfT-uq2XOBf%2B1w6StXQLEtSpCgAEELL5pLtthk9tog@mail.gmail.com> In-Reply-To: <alpine.BSF.2.22.395.2002180821310.6036@enterprise.ximalas.info> References: <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com> <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com> <CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg@mail.gmail.com> <CAEW8WPtqeFDahGMN8h4qijXe6oug7H6uEyG2hTuqs53G2K98eA@mail.gmail.com> <e3aa5e53-606b-7ad4-b529-5891cf509fbf@tundraware.com> <alpine.BSF.2.22.395.2002180821310.6036@enterprise.ximalas.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all for your replies,
"For sure, the first form is broken because you have to escape the
parenthesis."
As I stated earlier, that was just the output of:
ipfw show | grep "table" command.
root@test:~ # ipfw show | grep "table"
00350 17065 1026829 deny ip from table(10) to any
My script blocks the IPs I wanted to, ONLY if I set the rule number to
*earlier* numbers, such as:
${FWCMD} 00350 add deny all from table\(10\) to any
Question is: If I don't add the rule number 00350 to that command, that
rule gets located to 65000s, and ipfw doesn't block the IPs in table, at
all. I wanted to ask why such react, shouldn't IPFW still do the job (deny)
even if the rule number belongs to last ones?
Thank you!
Trond Endrest=C3=B8l <trond.endrestol@ximalas.info>, 18 =C5=9Eub 2020 Sal, =
10:35
tarihinde =C5=9Funu yazd=C4=B1:
> On Mon, 17 Feb 2020 16:42-0600, Tim Daneliuk wrote:
>
> > On 2/17/20 10:47 AM, Andreas X wrote:
> > > Hi again,
> > >
> > > The rule: "65500 0 0 deny ip from table(10) to any" was
> almost the last rule and I suspected it, therefore I wanted to move the
> rule upper, changed the command:
> > >
> > > ${FWCMD} 00350 add deny all from table\(10\) to any
> > >
> > > (adding rule number 00350), now ipfw successfully blocks the IPs in
> the table.
> > > My question is, why it didn't block the IPs when it had rule number
> 65500? (It might be the last rules, but still, it has "deny"
> command..shouldn't it do the job?)
> > >
> > > Thank you.
> >
> > I'm not sure, but you're using two different rules:
> >
> > deny ip from table(10) to any
> >
> > vs.
> >
> > add deny all from table\(10\) to any
> >
> > For sure, the first form is broken because you have to escape the
> parenthesis.
>
> True.
>
> > Also, you 1st rule only blocks IP traffic, not ICMP like ping (I think,
> not sure).
>
> "ip" or "all" matches both IPv4 and IPv6, regardless of the protocols
> higher up. Thus, these two rules are equivalent:
>
> deny all from table\(10\) to any
> deny ip from table\(10\) to any
>
> Escaping the parenthesis is still required.
>
> > Any ipfw experts care to weigh in on this?
>
> ipfw(8) sure is handy.
>
> --
> Trond.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEW8WPuirfT-uq2XOBf%2B1w6StXQLEtSpCgAEELL5pLtthk9tog>