Date: Tue, 24 Aug 2004 22:55:13 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Chris <racerx@makeworld.com> Cc: FreeBSD - ipfw <freebsd-ipfw@freebsd.org> Subject: Re: Denying multiple IP's Message-ID: <20040824205513.GJ760@zaphod.nitro.dk> In-Reply-To: <412B6A23.1000708@makeworld.com> References: <412B6A23.1000708@makeworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--SBT+cnFS/G3NVgv4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004.08.24 11:17:39 -0500, Chris wrote:
> I'm working with a friend of mine w/ipfw. Below are IP's that are trying=
=20
> to hack in via ssh. I suggested to use something in the form of:
>=20
> # Allow in SFTP, SSH, and SCP from public Internet
> ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup=
=20
> limit src-addr 4
>=20
> But he mentions that he needs access to his box from potential client=20
> sites where the IP is unknown.
>=20
> There has to be a better way to block the below - suggestions?
If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you
could use the new table feature. Otherwise if you use ipfw2 you could
use "or-blocks" e.g.
ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any
or something like that.
In any case there is probably no need to have sperate tcp/udp rules,
you could just use "ip" and block all traffic from the IP's.
> #
> # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs.
> #
>
> ${fwcmd} add 300 deny tcp from 24.79.68.179 to any
> ${fwcmd} add 301 deny udp from 24.79.68.179 to any
> ${fwcmd} add 302 deny tcp from 64.246.20.123 to any
> ${fwcmd} add 303 deny udp from 64.246.20.123 to any
> ${fwcmd} add 304 deny tcp from 81.223.99.90 to any
> ${fwcmd} add 305 deny udp from 81.223.99.90 to any
> ${fwcmd} add 306 deny tcp from 140.112.124.123 to any
> ${fwcmd} add 307 deny udp from 140.112.124.123 to any
> ${fwcmd} add 308 deny tcp from 193.145.87.3 to any
> ${fwcmd} add 309 deny udp from 193.145.87.3 to any
> ${fwcmd} add 310 deny tcp from 203.186.157.37 to any
> ${fwcmd} add 311 deny udp from 203.186.157.37 to any
> ${fwcmd} add 312 deny tcp from 210.204.129.11 to any
> ${fwcmd} add 313 deny udp from 210.204.129.11 to any
> ${fwcmd} add 314 deny tcp from 211.60.219.250 to any
> ${fwcmd} add 315 deny udp from 211.60.219.250 to any
> ${fwcmd} add 316 deny tcp from 211.252.9.126 to any
> ${fwcmd} add 317 deny udp from 211.252.9.126 to any
> ${fwcmd} add 318 deny tcp from 218.21.129.105 to any
> ${fwcmd} add 319 deny udp from 218.21.129.105 to any
> ${fwcmd} add 320 deny tcp from 218.49.183.17 to any
> ${fwcmd} add 321 deny udp from 218.49.183.17 to any
> ${fwcmd} add 322 deny tcp from 218.102.19.78 to any
> ${fwcmd} add 323 deny udp from 218.102.19.78 to any
> ${fwcmd} add 324 deny tcp from 218.237.66.152 to any
> ${fwcmd} add 325 deny udp from 218.237.66.152 to any
> ${fwcmd} add 326 deny tcp from 221.3.131.80 to any
> ${fwcmd} add 327 deny udp from 221.3.131.80 to any
>=20
> # Everything else is denied by default
--=20
Simon L. Nielsen
FreeBSD Documentation Team
--SBT+cnFS/G3NVgv4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFBK6sxh9pcDSc1mlERAj55AJ40hhW2updO7SXc8wV0w0meI9bLWwCfTT3q
K/+hTV/Vv8aaq9JVjpbHuxQ=
=32rK
-----END PGP SIGNATURE-----
--SBT+cnFS/G3NVgv4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040824205513.GJ760>