Date: Mon, 17 Feb 2020 08:49:41 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Blacklist IP file for IPFW? Message-ID: <9585fce4-b48d-a210-d62f-a2100c0cf929@tundraware.com> In-Reply-To: <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com> References: <CAEW8WPsMvq7bdAQ4cu=RYZQ=PfXMmbUUQ-yi_0qUAjt-nWTf=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/17/20 8:36 AM, Andreas X wrote:
<SNIP>
> The list dramatically grows each week. How may I create a text file so that
> IPFW would fetch these IPs from there directly? What's the simplest way to
> do this please?
Looping through a file and running an ipfw command each time gets super slow as
the list gets long. ipfw tables are the better way to do this:
FWCMD="ipfw -q" # Firewall command
OIF=em0 # NIC to outside world
# Address spaces we want blocked entirely are listed in this file
NAUGHTYFILE=/usr/local/etc/firewall/naughtyIPs
# Use ipfw tables for efficiency
ipfw table 10 flush
for addr in `cat ${NAUGHTYFILE}`
do
${FWCMD} table 10 add ${addr}
done
${FWCMD} add deny all from table\(10\) to any via ${OIF}
The "naughty" file can have specific IPs or CIDR blocks in it, one
per line:
95.87.0.0/18
95.87.192.0/18
96.246.220.34
96.30.64.0/18
98.143.148.107
HTH,
----------------------------------------------------------------------------
Tim Daneliuk tundra@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9585fce4-b48d-a210-d62f-a2100c0cf929>