From owner-freebsd-security@FreeBSD.ORG Sat Nov 20 20:15:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 856E616A4CE for ; Sat, 20 Nov 2004 20:15:33 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id A95AD43D54 for ; Sat, 20 Nov 2004 20:15:32 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])iAKKFQVe001081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 20 Nov 2004 20:15:26 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)iAKKFQkH001080; Sat, 20 Nov 2004 20:15:26 GMT (envelope-from matthew) Date: Sat, 20 Nov 2004 20:15:26 +0000 From: Matthew Seaman To: Francisco Reyes Message-ID: <20041120201526.GB793@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Francisco Reyes , FreeBSD Security List References: <20041120133048.N7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: <20041120133048.N7533@zoraida.natserv.net> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 20 Nov 2004 20:15:26 +0000 (GMT) X-Virus-Scanned: ClamAV 0.80/596/Sat Nov 20 10:53:39 2004 clamav-milter version 0.80j on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on happy-idiot-talk.infracaninophile.co.uk cc: FreeBSD Security List Subject: Re: Importing into rc.firewal rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Nov 2004 20:15:33 -0000 --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. >=20 > Is there a way to have this list outside of rc.firewall and just read it= =20 > in? Sure. If you set 'firewall_type' in /etc/rc.conf to the name of a file (eg. /etc/rules.ipfw), then record your firewall ruleset as a series of 'add rule' commands inside that file, it will be read straight into ipfw(8) -- eg: # /sbin/ipfw /etc/rules.ipfw where the initial contents of the rules file could be generated from the currently loaded ruleset by: # /sbin/ipfw list | sed -e 's,^,add ,' Additionally you can use the '-p preproc' flag to pass the rules file through a preprocessor, such as m4(1) which potentially allows you to insert blocks of rules by including other files. but that requires having quite a bit of m4-fu. Alternatively, if you want to manage your list of ad-hoc deny rules separately to your standard rule set, you can just run ipfw(8) against a set of 'add' rules whenever you need to make changes. If you make use of the ipfw set command, you will be easily able to manipulate your ad-hoc rules without trashing your regular ruleset. The ipfw set functionality is available by default in RELENG_5, but it is an extension that has to be explicitly turned on in RELENG_4 -- see the section "USING IPFW2 IN FreeBSD-STABLE" within the ipfw(8) man page. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBn6XeiD657aJF7eIRAn2eAKCxhz4/qDwMEmNM0ug15UNOnuuBAwCgrt0+ o4HaMbdNEsWVkV2l9zvQxyM= =liHt -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/--