The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

IP Filter - using rule groups for blocking IP blocks 27 December 1999
Need more help on this topic? Click here
This article has no comments
Show me similar articles
This article discusses my strategy for using rule groups for blocking IP blocks on the fly.  For more information on how rule groups work, please read the documents found at http://www.obfuscation.org/ipf/
The background
Today I was trying to find a way to block specific IP addresses or block on the fly for short term purposes.  Perhaps someone is attacking your site or there is a rogue mail server you want to block until it can be fixed.  If I decide to block long term, I'll move the rules into /etc/ipf.conf.

At first I tried doing something like this:

echo "block in quick from 1.2.3.6/32 to any group 100" | ipf -f -

This will add the above rule to the end of the list for group 100.  However, that will be ineffective if you have any "pass in quick" rule, which I did.  So I needed a way to add blocking rules in before any other rules.

The idea - add another rule group
I came up with the idea of a adding another rule group to do nothing but block.   All rules in this group will deal only with blocking.   That will allow me to insert blocking rules further up in the rule tree which rules further down will never see because of the "block in quick".
The rule group changes
I run a dual homed host (i.e. a box with two network cards; one goes to my ISP, the other goes to my LAN, see topology).  So the start of my rules looks like this:
block in  log on ed0 all head 100
block out log on ed0 all head 150

block in  log on ed1 all head 200
block out log on ed1 all head 250

I decided to change my groups to be like this:

block in  log on ed0 all head 10
                                                    
#
# if under attack, block here in group 10 (and possibly 15)
#
                                                    
block in  log on ed0 all head 100 group 10
block out log on ed0 all head 150

block in  log on ed1 all head 200
block out log on ed1 all head 250

As you can see, I added a new rule group (10) and put group 100 under that group.   With my normal rule set (/etc/ipf.conf), I don't have any rules in group 10.  I use that group only for my short-term blocking.

The script
Now I can use this little script to add an IP address or a rang
#!/bin/sh
echo "block in quick from $1 to any group 10" | ipf $2 -f - 

Remember to chmod the script to 770.

Now I can block a specific IP address with this simple command:

./blockrange.sh 1.2.3.6

I can also block a class C address with this:

./blockrange.sh 1.2.3.6/24

You can also remove a block with this:

./blockrange.sh 1.2.3.6/24 -r
What's next?
I have no idea.  I was toying with the idea of keeping a list of rules added using this script.  This would serve two purposes.
  1. The list could be used to clear out the rules which have been added.
  2. If necessary, you could use the list to copy/paste into /etc/ipf.conf if you decide to make the blocks permanent.

Offhand, this sounds like the beginnings of a good little port.


Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles