The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
IP Filter - using rule groups for blocking IP blocks 27 December 1999
|This article discusses my strategy for using rule groups for blocking IP blocks on the fly. For more information on how rule groups work, please read the documents found at http://www.obfuscation.org/ipf/|
|Today I was trying to find a way to block specific IP addresses or block on the fly
for short term purposes. Perhaps someone is attacking your site or there is a rogue
mail server you want to block until it can be fixed. If I decide to block long term,
I'll move the rules into /etc/ipf.conf.
At first I tried doing something like this:
echo "block in quick from 22.214.171.124/32 to any group 100" | ipf -f -
This will add the above rule to the end of the list for group 100. However, that will be ineffective if you have any "pass in quick" rule, which I did. So I needed a way to add blocking rules in before any other rules.
The idea - add another rule group
|I came up with the idea of a adding another rule group to do nothing but block. All rules in this group will deal only with blocking. That will allow me to insert blocking rules further up in the rule tree which rules further down will never see because of the "block in quick".|
The rule group changes
|I run a dual homed host (i.e. a box with two network cards; one goes to my ISP, the
other goes to my LAN, see topology). So the start of my
rules looks like this:
block in log on ed0 all head 100 block out log on ed0 all head 150 block in log on ed1 all head 200 block out log on ed1 all head 250
I decided to change my groups to be like this:
block in log on ed0 all head 10 # # if under attack, block here in group 10 (and possibly 15) # block in log on ed0 all head 100 group 10 block out log on ed0 all head 150 block in log on ed1 all head 200 block out log on ed1 all head 250
As you can see, I added a new rule group (10) and put group 100 under that group. With my normal rule set (/etc/ipf.conf), I don't have any rules in group 10. I use that group only for my short-term blocking.
|Now I can use this little script to add an IP address or a rang
#!/bin/sh echo "block in quick from $1 to any group 10" | ipf $2 -f -
Remember to chmod the script to 770.
Now I can block a specific IP address with this simple command:
I can also block a class C address with this:
You can also remove a block with this:
./blockrange.sh 126.96.36.199/24 -r
|I have no idea. I was toying with the idea of keeping a list of rules added
using this script. This would serve two purposes.
Offhand, this sounds like the beginnings of a good little port.