I have a grown list of IPs that I am "deny ip from ###.### to any". Infected machines, hackers, etc.. Is there a way to have this list outside of rc.firewall and just read it in?
In message <20041120133048.N7533@zoraida.natserv.net>, Francisco Reyes writes:>I have a grown list of IPs that I am "deny ip from ###.### to any". >Infected machines, hackers, etc..If the list is long it may be almost as good, if not better, to use blackhole routes for it. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:> I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. > > Is there a way to have this list outside of rc.firewall and just read it > in?Sure. If you set 'firewall_type' in /etc/rc.conf to the name of a file (eg. /etc/rules.ipfw), then record your firewall ruleset as a series of 'add rule' commands inside that file, it will be read straight into ipfw(8) -- eg: # /sbin/ipfw /etc/rules.ipfw where the initial contents of the rules file could be generated from the currently loaded ruleset by: # /sbin/ipfw list | sed -e 's,^,add ,' Additionally you can use the '-p preproc' flag to pass the rules file through a preprocessor, such as m4(1) which potentially allows you to insert blocks of rules by including other files. but that requires having quite a bit of m4-fu. Alternatively, if you want to manage your list of ad-hoc deny rules separately to your standard rule set, you can just run ipfw(8) against a set of 'add' rules whenever you need to make changes. If you make use of the ipfw set command, you will be easily able to manipulate your ad-hoc rules without trashing your regular ruleset. The ipfw set functionality is available by default in RELENG_5, but it is an extension that has to be explicitly turned on in RELENG_4 -- see the section "USING IPFW2 IN FreeBSD-STABLE" within the ipfw(8) man page. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041120/62640a14/attachment.bin
>Date: Sat, 20 Nov 2004 13:32:15 -0500 (EST) >From: Francisco Reyes <lists@natserv.com>>I have a grown list of IPs that I am "deny ip from ###.### to any". >Infected machines, hackers, etc..OK....>Is there a way to have this list outside of rc.firewall and just read it >in?Sure, if you modify rc.firewall or use a different mechanism to construct the rules. The supplied rc.firewall is a shell script; see ". file" in man sh for one way to read the contents of another file into a shell script. You could also generate the ipfw comamnds via some other (combination of) (scripting) language(s), including Perl or m4 -- as long as each such component you use is available at the time it is first invoked (rather early in the boot process). A lot is likely to depend on how dynamic the "grown list" is. Peace, david -- David H. Wolfskill david@catwhisker.org I resent spammers because spam is a DoS attack on my time. See http://www.catwhisker.org/~david/publickey.gpg for public key.
On Sat, 20 Nov 2004, Poul-Henning Kamp wrote:> If the list is long it may be almost as good, if not better, to use > blackhole routes for it.I was not familiar with the term. Looking in Google came up with a link. However in that link they recommend against that method. http://tinyurl.com/5r5cl Also any link on how to implement it? What would be the advantage of that route vs ipfw?
On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:> I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. > > Is there a way to have this list outside of rc.firewall and just read it > in?I don't know how strong your bond with ipfw is, but it seems like pf has exactly what you need. For example: #--- excerpts from pf documentation --- Tables can also be populated from text files containing a list of IP addresses and networks: table <spammers> persist file "/etc/spammers" block in on fxp0 from <spammers> to any Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the <spammers> table created above: # pfctl -t spammers -T add 218.70.0.0/16 #--- excerpts from pf documentation --- If ipfw isn't a tradition in your family, you might want to consider switching to pf for those specific needs. :) Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041120/1850a91b/attachment.bin
You (Francisco Reyes) wrote on Sat, Nov 20, 2004 at 07:32:15PM CET:> I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. > > Is there a way to have this list outside of rc.firewall and just read it > in?hi *, simply add a : for i in `cat denied_badhackers ` ; do ... into your ipfw script. its just shell :) regards, marc -- Marc Sztochay - mailto:msztochay@pilgerer.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041120/2608be16/attachment.bin
Francisco Reyes wrote:> I have a grown list of IPs that I am "deny ip from ###.### to any". > Infected machines, hackers, etc.. > Is there a way to have this list outside of rc.firewall and just > read it in?Lots of good recommendation in this thread. Our own is a customized rc.firewall script <http://www.roble.com/docs/rc.firewall> to parse multiple blacklist files, by IP and by port, with a little error checking: filterfile () { for ip in `grep -hv '^#' $file | \ sed -e 's/^ *//' -e 's/^ *//' -e 's/#.*$//' -e 's/ .*$//' -e 's/ .*$//' | \ sort -u | grep -v '^$'` ; do if [ "`echo $ip | grep ^[1-9]`" = "" ] || \ [ "`echo $ip | egrep '([a-z]|[A-Z]|^0|^255)'`" != "" ]; then echo "ERROR: $ip is not a valid IP address" continue elif [ "`echo $ip|egrep $WHITELIST`" != "" ]; then ## TO DO: better whitelist parsing. echo "ERROR: $ip is whitelisted" continue elif [ "$port" = "" ]; then ## Block IP if no port is specified. $IPFW add 210 deny ip from $ip to any elif [ $port = 53 ]; then ## Block both tcp and udp if port = DNS. $IPFW add 211 deny tcp from $ip to any $port $IPFW add 211 deny udp from $ip to any $port else ## Else: block tcp (and not udp). $IPFW add 212 deny tcp from $ip to any $port fi done } for file in `ls $BLACKLIST $BLACKLIST.[1-9]*` ; do if [ ! -s $file ]; then echo "WARNING: empty $file" continue elif [ "$file" = "$BLACKLIST" ]; then port="" else port="`echo $file | awk -F. '{print $NF}'`" if [ $port -lt 1 ] || [ $port -gt 65000 ]; then echo "ERROR: invalid port: $port" continue fi fi echo "PROCESSING: ${file} port: ${port}" filterfile $file done -- Roger Marquis Roble Systems Consulting http://www.roble.com/