Date: Sat, 20 Nov 2004 20:15:26 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Francisco Reyes <lists@natserv.com> Cc: FreeBSD Security List <freebsd-security@freebsd.org> Subject: Re: Importing into rc.firewal rules Message-ID: <20041120201526.GB793@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20041120133048.N7533@zoraida.natserv.net> References: <20041120133048.N7533@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--61jdw2sOBCFtR2d/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:
> I have a grown list of IPs that I am "deny ip from ###.### to any".
> Infected machines, hackers, etc..
>=20
> Is there a way to have this list outside of rc.firewall and just read it=
=20
> in?
Sure. If you set 'firewall_type' in /etc/rc.conf to the name of a
file (eg. /etc/rules.ipfw), then record your firewall ruleset as a
series of 'add rule' commands inside that file, it will be read
straight into ipfw(8) -- eg:
# /sbin/ipfw /etc/rules.ipfw
where the initial contents of the rules file could be generated from
the currently loaded ruleset by:
# /sbin/ipfw list | sed -e 's,^,add ,'
Additionally you can use the '-p preproc' flag to pass the rules file
through a preprocessor, such as m4(1) which potentially allows you to
insert blocks of rules by including other files. but that requires
having quite a bit of m4-fu.
Alternatively, if you want to manage your list of ad-hoc deny rules
separately to your standard rule set, you can just run ipfw(8) against
a set of 'add' rules whenever you need to make changes. If you make
use of the ipfw set command, you will be easily able to manipulate
your ad-hoc rules without trashing your regular ruleset. The ipfw set
functionality is available by default in RELENG_5, but it is an
extension that has to be explicitly turned on in RELENG_4 -- see the
section "USING IPFW2 IN FreeBSD-STABLE" within the ipfw(8) man page.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--61jdw2sOBCFtR2d/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBn6XeiD657aJF7eIRAn2eAKCxhz4/qDwMEmNM0ug15UNOnuuBAwCgrt0+
o4HaMbdNEsWVkV2l9zvQxyM=
=liHt
-----END PGP SIGNATURE-----
--61jdw2sOBCFtR2d/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041120201526.GB793>