Date: Mon, 17 Feb 2020 18:54:55 +0300 From: Andreas X <hamdi20193d@gmail.com> To: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Blacklist IP file for IPFW? Message-ID: <CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg@mail.gmail.com> In-Reply-To: <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com> References: <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com> <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Tim,
I applied your suggestion, however it seems IPFW doesn't ban the IP
addresses in the list. (I've added a useless VPS IP of mine in the list, to
test it, but I could still ping the server from that IP)
Here's my script as per your suggestion:
#!/bin/sh
FWCMD=3D"ipfw -q"
LISTX=3D/usr/local/etc/fw/banlist.txt
ipfw table 10 create
ipfw table 10 flush
for addr in `cat ${LISTX}`
do
${FWCMD} table 10 add ${addr}
done
${FWCMD} add deny all from table\(10\) to any
And ipfw show | grep "table" command outputs:
"65500 0 0 deny ip from table(10) to any" so it seems the IPs are
added. But none of them are blocked.
I restarted IPFW too, and re-run the script again, no solution.
Any idea?
Thank you.
Tim Daneliuk <tundra@tundraware.com>, 17 =C5=9Eub 2020 Pzt, 17:51 tarihinde=
=C5=9Funu
yazd=C4=B1:
> On 2/17/20 8:36 AM, Andreas X wrote:
> <SNIP>
>
> > The list dramatically grows each week. How may I create a text file so
> that
> > IPFW would fetch these IPs from there directly? What's the simplest way
> to
> > do this please?
>
>
> Looping through a file and running an ipfw command each time gets super
> slow as
> the list gets long. ipfw tables are the better way to do this:
>
> FWCMD=3D"ipfw -q" # Firewall command
> OIF=3Dem0 # NIC to outside world
>
> # Address spaces we want blocked entirely are listed in this file
> NAUGHTYFILE=3D/usr/local/etc/firewall/naughtyIPs
>
> # Use ipfw tables for efficiency
>
> ipfw table 10 flush
> for addr in `cat ${NAUGHTYFILE}`
> do
> ${FWCMD} table 10 add ${addr}
> done
>
> ${FWCMD} add deny all from table\(10\) to any via ${OIF}
>
> The "naughty" file can have specific IPs or CIDR blocks in it, one
> per line:
>
> 95.87.0.0/18
> 95.87.192.0/18
> 96.246.220.34
> 96.30.64.0/18
> 98.143.148.107
>
>
>
>
> HTH,
>
> -------------------------------------------------------------------------=
---
> Tim Daneliuk tundra@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEW8WPunc9%2B-7qybkrnDep3R08ApgjBkA2n=fi%2ByU8psTJRkNg>