From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 23 15:29:20 2014 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97B96217 for ; Sun, 23 Mar 2014 15:29:20 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4EC395F9 for ; Sun, 23 Mar 2014 15:29:19 +0000 (UTC) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s2NFTGSk004386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 23 Mar 2014 08:29:17 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <532EFDC5.7060605@freebsd.org> Date: Sun, 23 Mar 2014 08:29:09 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "Matthew D. Fuller" Subject: Re: ipfw dynamic rules References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> <532E7398.5090607@freebsd.org> <20140324000439.F87212@sola.nimnet.asn.au> <532EF401.80506@freebsd.org> <20140323150014.GE96701@over-yonder.net> In-Reply-To: <20140323150014.GE96701@over-yonder.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Ian Smith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 15:29:20 -0000 On 3/23/14, 8:00 AM, Matthew D. Fuller wrote: > On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of > Julian Elischer, and lo! it spake thus: >> comments welcome (bugs expected) >> >> >> /sbin/ipfw table add 13 0.0.0.0/8 >> /sbin/ipfw table add 13 10.0.0.0/8 >> /sbin/ipfw table add 13 169.254.0.0/16 >> /sbin/ipfw table add 13 172.16.0.0/12 >> /sbin/ipfw table add 13 192.0.2.0/24 >> /sbin/ipfw table add 13 192.168.0.0/16 >> /sbin/ipfw table add 13 224.0.0.0/4 >> /sbin/ipfw table add 13 240.0.0.0/4 >> >> /sbin/ipfw add 2002 set 0 reject ip from any to table(13) > Missing a couple martians, and this is a bit automatable. It's sh, > after all. Out of the script on one of my servers: yeah though remember this is the output stream of the script, not the script itself.. it was loading it up from the small table I had in a "here" file in the script.. could easily be done from a separate file... What I'm hoping for is to make a script set where you specify a 'type' for each interface, and the script builds itself.. e.g. interfaces="xn0 xn1 tun0 tun1 lo0" fw_xn0_type="hostile nat" fw_xn1_type="trusted local fw_tun0_type="trusted remote" fw_tun1_type="hostile nat_in" (lo0 need not be given a type) this would firewall xn0 and tun1 and just do sanity testing on tun0 and xn1 Julian > > > ---------------------- > # A table for ipv4 martians > # Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt > # NOTE: Source file doesn't have terminating newline; be sure to add one! > mtable="100" > bogfile="${mydir}/bogon-bn-agg.txt" > if [ -r "$bogfile" ]; then > ${ipfw} table ${mtable} flush > cat $bogfile | while read block ; do > ${ipfw} table ${mtable} add ${block} ; > done > fi > > # ... lots of stuff elided > > # Ignore > ${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any > ---------------------- > > > Handy to just be able to randomly fetch(1) a new file and let the fw > keep up. Though watch out for that lacking trailing newline; I've > been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice > from forgetting. > >