From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 30 13:51:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA3516A4CE; Mon, 30 Aug 2004 13:51:53 +0000 (GMT) Received: from sage-american.com (adsl-65-71-135-139.dsl.crchtx.swbell.net [65.71.135.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2548443D2F; Mon, 30 Aug 2004 13:51:53 +0000 (GMT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea.sage-american [10.0.0.3]) by sage-american.com (8.12.11/8.12.11) with SMTP id i7UDppcM085561; Mon, 30 Aug 2004 08:51:51 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20040830085150.01f1d220@10.0.0.10> X-Sender: jackstone@10.0.0.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 30 Aug 2004 08:51:50 -0500 To: James , "Simon L. Nielsen" From: "Jack L. Stone" In-Reply-To: <20040830043833.GA41637@scylla.towardex.com> References: <20040824205513.GJ760@zaphod.nitro.dk> <412B6A23.1000708@makeworld.com> <20040824205513.GJ760@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (sage-american.com [10.0.0.15]); Mon, 30 Aug 2004 08:51:51 -0500 (CDT) X-Spam-Status: No, hits=-5.0 required=4.5 tests=AWL,BAYES_00,RATWR20_MESSID autolearn=no version=2.64-sageame.rules_v4.1 X-Spam-Checker-Version: SpamAssassin 2.64-sageame.rules_v4.1 (2004-01-11) on sage-american.com cc: FreeBSD - ipfw Subject: Re: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 13:51:54 -0000 At 12:38 AM 8.30.2004 -0400, James wrote: >On Tue, Aug 24, 2004 at 10:55:13PM +0200, Simon L. Nielsen wrote: >> On 2004.08.24 11:17:39 -0500, Chris wrote: >> > I'm working with a friend of mine w/ipfw. Below are IP's that are trying >> > to hack in via ssh. I suggested to use something in the form of: >> > >> > # Allow in SFTP, SSH, and SCP from public Internet >> > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup >> > limit src-addr 4 >> > >> > But he mentions that he needs access to his box from potential client >> > sites where the IP is unknown. >> > >> > There has to be a better way to block the below - suggestions? >> >> If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you >> could use the new table feature. Otherwise if you use ipfw2 you could >> use "or-blocks" e.g. >> >> ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any > >Good call, but unfortunately, this is not very good in performance either.. > >If you use latest kernel, your ipfw2 should have the lookup tables patch which >uses radix lookup. { blah or bleh or x or y or z } list is a linear lookup, >causing the system to lookup twice in linear fassion to come to a match. It is >not exactly any better in terms of performance efficiency than adding hundreds >of straight ipfw rules each with a ip address specification. > >Try this if you have tables feature: > >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 > >ipfw add 300 deny ip from table(1) to any > >No matter how many elements you got in table 1, due to radix/patricia trie >lookup as with kernel routing table, the time spent in looking thru firewall >elements is O(32) constant. > >To demonstrate the efficiency: > >Test #1: Start with 1 ipfw rule (the last rule 65535 being allow all) that >denies one ip address on the DUT. Flood the remote tester device that is not >denied by the ipfw rule. Start the test, and increment the ipfw rules from 1 >to 10. Result: > >1 rule: 140kpps >2 rule: 140kpps >3 rule: 138kpps >4 rule: 137kpps >5 rule: 135kpps >6 rule: 135kpps >7 rule: 132kpps >8 rule: 133kpps >9 rule: 131kpps >10 rule: 129kpps > >Test #2: Perform the exact same test above, however use a lookup table to store >the elements from 1 to 10: > >1 element in table: 140kpps >2 element in table: 140kpps >3 element in table: 140kpps >4 element in table: 141kpps >5 element in table: 140kpps >6 element in table: 139kpps >7 element in table: 140kpps >8 element in table: 142kpps >9 element in table: 140kpps >10 element in table: 140kpps > > >> >> or something like that. >> >> In any case there is probably no need to have sperate tcp/udp rules, >> you could just use "ip" and block all traffic from the IP's. >> >> > # >> > # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. >> > # >> > >> > ${fwcmd} add 300 deny tcp from 24.79.68.179 to any >> > ${fwcmd} add 301 deny udp from 24.79.68.179 to any >> > ${fwcmd} add 302 deny tcp from 64.246.20.123 to any >> > ${fwcmd} add 303 deny udp from 64.246.20.123 to any >> > ${fwcmd} add 304 deny tcp from 81.223.99.90 to any >> > ${fwcmd} add 305 deny udp from 81.223.99.90 to any >> > ${fwcmd} add 306 deny tcp from 140.112.124.123 to any >> > ${fwcmd} add 307 deny udp from 140.112.124.123 to any >> > ${fwcmd} add 308 deny tcp from 193.145.87.3 to any >> > ${fwcmd} add 309 deny udp from 193.145.87.3 to any >> > ${fwcmd} add 310 deny tcp from 203.186.157.37 to any >> > ${fwcmd} add 311 deny udp from 203.186.157.37 to any >> > ${fwcmd} add 312 deny tcp from 210.204.129.11 to any >> > ${fwcmd} add 313 deny udp from 210.204.129.11 to any >> > ${fwcmd} add 314 deny tcp from 211.60.219.250 to any >> > ${fwcmd} add 315 deny udp from 211.60.219.250 to any >> > ${fwcmd} add 316 deny tcp from 211.252.9.126 to any >> > ${fwcmd} add 317 deny udp from 211.252.9.126 to any >> > ${fwcmd} add 318 deny tcp from 218.21.129.105 to any >> > ${fwcmd} add 319 deny udp from 218.21.129.105 to any >> > ${fwcmd} add 320 deny tcp from 218.49.183.17 to any >> > ${fwcmd} add 321 deny udp from 218.49.183.17 to any >> > ${fwcmd} add 322 deny tcp from 218.102.19.78 to any >> > ${fwcmd} add 323 deny udp from 218.102.19.78 to any >> > ${fwcmd} add 324 deny tcp from 218.237.66.152 to any >> > ${fwcmd} add 325 deny udp from 218.237.66.152 to any >> > ${fwcmd} add 326 deny tcp from 221.3.131.80 to any >> > ${fwcmd} add 327 deny udp from 221.3.131.80 to any >> > >> > # Everything else is denied by default >> >> -- >> Simon L. Nielsen >> FreeBSD Documentation Team > Running FBSD-4.10-p2/ipfw2 I don't know if I do it best way, but this method certainly works well for me. I place it early at the top before NAT so that effort is not needed either. Plus, it denies *all* packets of any kind. Plus2, I let ipfw assign the rule numbers: #${fwcmd} add deny all from 168.226.97.0/24 to any via ${oif} #${fwcmd} add deny all from 83.114.157.0/24 to any via ${oif} #${fwcmd} add deny all from 69.88.27.0/24 to any via ${oif} #${fwcmd} add deny all from 68.79.28.0/24 to any via ${oif} I haven't tried the tables and haven't investigated that yet Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net