From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:55:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7907816A4E0 for ; Tue, 24 Aug 2004 20:55:15 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id C39B043D4C for ; Tue, 24 Aug 2004 20:55:14 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id D8DEA11AB1; Tue, 24 Aug 2004 22:55:13 +0200 (CEST) Date: Tue, 24 Aug 2004 22:55:13 +0200 From: "Simon L. Nielsen" To: Chris Message-ID: <20040824205513.GJ760@zaphod.nitro.dk> References: <412B6A23.1000708@makeworld.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SBT+cnFS/G3NVgv4" Content-Disposition: inline In-Reply-To: <412B6A23.1000708@makeworld.com> User-Agent: Mutt/1.5.6i cc: FreeBSD - ipfw Subject: Re: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:55:15 -0000 --SBT+cnFS/G3NVgv4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.08.24 11:17:39 -0500, Chris wrote: > I'm working with a friend of mine w/ipfw. Below are IP's that are trying= =20 > to hack in via ssh. I suggested to use something in the form of: >=20 > # Allow in SFTP, SSH, and SCP from public Internet > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup= =20 > limit src-addr 4 >=20 > But he mentions that he needs access to his box from potential client=20 > sites where the IP is unknown. >=20 > There has to be a better way to block the below - suggestions? If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you could use the new table feature. Otherwise if you use ipfw2 you could use "or-blocks" e.g. ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any or something like that. In any case there is probably no need to have sperate tcp/udp rules, you could just use "ip" and block all traffic from the IP's. > # > # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. > # > > ${fwcmd} add 300 deny tcp from 24.79.68.179 to any > ${fwcmd} add 301 deny udp from 24.79.68.179 to any > ${fwcmd} add 302 deny tcp from 64.246.20.123 to any > ${fwcmd} add 303 deny udp from 64.246.20.123 to any > ${fwcmd} add 304 deny tcp from 81.223.99.90 to any > ${fwcmd} add 305 deny udp from 81.223.99.90 to any > ${fwcmd} add 306 deny tcp from 140.112.124.123 to any > ${fwcmd} add 307 deny udp from 140.112.124.123 to any > ${fwcmd} add 308 deny tcp from 193.145.87.3 to any > ${fwcmd} add 309 deny udp from 193.145.87.3 to any > ${fwcmd} add 310 deny tcp from 203.186.157.37 to any > ${fwcmd} add 311 deny udp from 203.186.157.37 to any > ${fwcmd} add 312 deny tcp from 210.204.129.11 to any > ${fwcmd} add 313 deny udp from 210.204.129.11 to any > ${fwcmd} add 314 deny tcp from 211.60.219.250 to any > ${fwcmd} add 315 deny udp from 211.60.219.250 to any > ${fwcmd} add 316 deny tcp from 211.252.9.126 to any > ${fwcmd} add 317 deny udp from 211.252.9.126 to any > ${fwcmd} add 318 deny tcp from 218.21.129.105 to any > ${fwcmd} add 319 deny udp from 218.21.129.105 to any > ${fwcmd} add 320 deny tcp from 218.49.183.17 to any > ${fwcmd} add 321 deny udp from 218.49.183.17 to any > ${fwcmd} add 322 deny tcp from 218.102.19.78 to any > ${fwcmd} add 323 deny udp from 218.102.19.78 to any > ${fwcmd} add 324 deny tcp from 218.237.66.152 to any > ${fwcmd} add 325 deny udp from 218.237.66.152 to any > ${fwcmd} add 326 deny tcp from 221.3.131.80 to any > ${fwcmd} add 327 deny udp from 221.3.131.80 to any >=20 > # Everything else is denied by default --=20 Simon L. Nielsen FreeBSD Documentation Team --SBT+cnFS/G3NVgv4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBK6sxh9pcDSc1mlERAj55AJ40hhW2updO7SXc8wV0w0meI9bLWwCfTT3q K/+hTV/Vv8aaq9JVjpbHuxQ= =32rK -----END PGP SIGNATURE----- --SBT+cnFS/G3NVgv4--