Date: Mon, 17 Feb 2020 19:47:30 +0300 From: Andreas X <hamdi20193d@gmail.com> To: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Blacklist IP file for IPFW? Message-ID: <CAEW8WPtqeFDahGMN8h4qijXe6oug7H6uEyG2hTuqs53G2K98eA@mail.gmail.com> In-Reply-To: <CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg@mail.gmail.com> References: <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com> <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com> <CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi again,
The rule: "65500 0 0 deny ip from table(10) to any" was almost the
last rule and I suspected it, therefore I wanted to move the rule upper,
changed the command:
${FWCMD} 00350 add deny all from table\(10\) to any
(adding rule number 00350), now ipfw successfully blocks the IPs in the
table.
My question is, why it didn't block the IPs when it had rule number 65500?
(It might be the last rules, but still, it has "deny" command..shouldn't it
do the job?)
Thank you.
Andreas X <hamdi20193d@gmail.com>, 17 =C5=9Eub 2020 Pzt, 18:54 tarihinde =
=C5=9Funu
yazd=C4=B1:
> Dear Tim,
>
> I applied your suggestion, however it seems IPFW doesn't ban the IP
> addresses in the list. (I've added a useless VPS IP of mine in the list, =
to
> test it, but I could still ping the server from that IP)
>
> Here's my script as per your suggestion:
>
> #!/bin/sh
> FWCMD=3D"ipfw -q"
>
> LISTX=3D/usr/local/etc/fw/banlist.txt
>
> ipfw table 10 create
> ipfw table 10 flush
>
> for addr in `cat ${LISTX}`
> do
> ${FWCMD} table 10 add ${addr}
> done
>
> ${FWCMD} add deny all from table\(10\) to any
>
>
> And ipfw show | grep "table" command outputs:
> "65500 0 0 deny ip from table(10) to any" so it seems the IPs are
> added. But none of them are blocked.
>
> I restarted IPFW too, and re-run the script again, no solution.
>
> Any idea?
>
> Thank you.
>
>
> Tim Daneliuk <tundra@tundraware.com>, 17 =C5=9Eub 2020 Pzt, 17:51 tarihin=
de
> =C5=9Funu yazd=C4=B1:
>
>> On 2/17/20 8:36 AM, Andreas X wrote:
>> <SNIP>
>>
>> > The list dramatically grows each week. How may I create a text file so
>> that
>> > IPFW would fetch these IPs from there directly? What's the simplest wa=
y
>> to
>> > do this please?
>>
>>
>> Looping through a file and running an ipfw command each time gets super
>> slow as
>> the list gets long. ipfw tables are the better way to do this:
>>
>> FWCMD=3D"ipfw -q" # Firewall command
>> OIF=3Dem0 # NIC to outside world
>>
>> # Address spaces we want blocked entirely are listed in this file
>> NAUGHTYFILE=3D/usr/local/etc/firewall/naughtyIPs
>>
>> # Use ipfw tables for efficiency
>>
>> ipfw table 10 flush
>> for addr in `cat ${NAUGHTYFILE}`
>> do
>> ${FWCMD} table 10 add ${addr}
>> done
>>
>> ${FWCMD} add deny all from table\(10\) to any via ${OIF}
>>
>> The "naughty" file can have specific IPs or CIDR blocks in it, one
>> per line:
>>
>> 95.87.0.0/18
>> 95.87.192.0/18
>> 96.246.220.34
>> 96.30.64.0/18
>> 98.143.148.107
>>
>>
>>
>>
>> HTH,
>>
>> ------------------------------------------------------------------------=
----
>> Tim Daneliuk tundra@tundraware.com
>> PGP Key: http://www.tundraware.com/PGP/
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEW8WPtqeFDahGMN8h4qijXe6oug7H6uEyG2hTuqs53G2K98eA>