From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 23 15:00:17 2014 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36CDE71A; Sun, 23 Mar 2014 15:00:17 +0000 (UTC) Received: from thyme.infocus-llc.com (server.infocus-llc.com [206.156.254.44]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0B4F2184; Sun, 23 Mar 2014 15:00:16 +0000 (UTC) Received: from draco.over-yonder.net (c-75-65-60-66.hsd1.ms.comcast.net [75.65.60.66]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by thyme.infocus-llc.com (Postfix) with ESMTPSA id 7966037B5AE; Sun, 23 Mar 2014 10:00:15 -0500 (CDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id 3fsMMy6hLCz2DT; Sun, 23 Mar 2014 10:00:14 -0500 (CDT) Date: Sun, 23 Mar 2014 10:00:14 -0500 From: "Matthew D. Fuller" To: Julian Elischer Subject: Re: ipfw dynamic rules Message-ID: <20140323150014.GE96701@over-yonder.net> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> <532E7398.5090607@freebsd.org> <20140324000439.F87212@sola.nimnet.asn.au> <532EF401.80506@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <532EF401.80506@freebsd.org> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: clamav-milter 0.98.1 at thyme.infocus-llc.com X-Virus-Status: Clean Cc: ipfw@freebsd.org, Ian Smith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 15:00:17 -0000 On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of Julian Elischer, and lo! it spake thus: > > comments welcome (bugs expected) > > > /sbin/ipfw table add 13 0.0.0.0/8 > /sbin/ipfw table add 13 10.0.0.0/8 > /sbin/ipfw table add 13 169.254.0.0/16 > /sbin/ipfw table add 13 172.16.0.0/12 > /sbin/ipfw table add 13 192.0.2.0/24 > /sbin/ipfw table add 13 192.168.0.0/16 > /sbin/ipfw table add 13 224.0.0.0/4 > /sbin/ipfw table add 13 240.0.0.0/4 > > /sbin/ipfw add 2002 set 0 reject ip from any to table(13) Missing a couple martians, and this is a bit automatable. It's sh, after all. Out of the script on one of my servers: ---------------------- # A table for ipv4 martians # Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt # NOTE: Source file doesn't have terminating newline; be sure to add one! mtable="100" bogfile="${mydir}/bogon-bn-agg.txt" if [ -r "$bogfile" ]; then ${ipfw} table ${mtable} flush cat $bogfile | while read block ; do ${ipfw} table ${mtable} add ${block} ; done fi # ... lots of stuff elided # Ignore ${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any ---------------------- Handy to just be able to randomly fetch(1) a new file and let the fw keep up. Though watch out for that lacking trailing newline; I've been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice from forgetting. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.