From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 11:16:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F24D16A4CE for ; Sun, 21 Nov 2004 11:16:54 +0000 (GMT) Received: from aspc.cs.utt.ro (aspc.cs.utt.ro [193.226.12.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id E399D43D2D for ; Sun, 21 Nov 2004 11:16:53 +0000 (GMT) (envelope-from cbadescu@aspc.cs.utt.ro) Received: from aspc.cs.utt.ro (aspc [127.0.0.1]) by aspc.cs.utt.ro (8.12.10/8.12.10) with ESMTP id iALBGg5c003208 for ; Sun, 21 Nov 2004 13:16:42 +0200 Received: (from apache@localhost) by aspc.cs.utt.ro (8.12.10/8.12.10/Submit) id iALBGgNg003206; Sun, 21 Nov 2004 13:16:42 +0200 From: Ciprian BADESCU X-Authentication-Warning: aspc.cs.utt.ro: apache set sender to cbadescu@aspc.cs.utt.ro using -f Received: from 82.77.156.141 (proxying for 192.168.55.229) (SquirrelMail authenticated user cbadescu); by aspc.cs.utt.ro with HTTP; Sun, 21 Nov 2004 13:16:42 +0200 (EET) Message-ID: <2274.82.77.156.141.1101035802.squirrel@82.77.156.141> Date: Sun, 21 Nov 2004 13:16:42 +0200 (EET) To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.f1.1 X-Mailer: SquirrelMail/1.4.3a-0.f1.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-aspc-MailScanner-Information: Please contact the ISP for more information X-aspc-MailScanner: Found to be clean X-MailScanner-From: cbadescu@aspc.cs.utt.ro Subject: [Fwd: Re: Importing into rc.firewal rules] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 11:16:54 -0000 Hi, > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: >> I have a grown list of IPs that I am "deny ip from ###.### to any". Infected machines, hackers, etc.. >> >> Is there a way to have this list outside of rc.firewall and just read it in? > from man ipfw LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There could be 128 dif- ferent lookup tables, numbered 0 to 127. Each entry is represented by an addr[/masklen] and will match all addresses with base addr (specified as a dotted quad or a hostname) and mask width of masklen bits. If masklen is not specified, it defaults to 32. When looking up an IP address in a table, the most specific entry will match. Associated with each entry is a 32-bit unsigned value, which can optionally be checked by a rule matching code. When adding an entry, if value is not specified, it defaults to 0. An entry can be added to a table (add), removed from a table (delete), a table can be examined (list) or flushed (flush). Internally, each table is stored in a Radix tree, the same way as the routing table (see route(4)). , and here is an example: ${fwcmd} table 0 add 82.77.156.42 ${fwcmd} add deny all from table\(0\) to any via ${oif} ${fwcmd} add deny all from any to table\(0\) via ${oif} # I know, second rule, .... it's paranoic To set the table you could use a file /etc/badboys and a short shell script executed before the table denying rules: for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done; ---- Ciprian Badescu