Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Jan 2009 14:57:53 -0700
From:      Kim Shrier <>
Subject:   Re: possible to block one address on all ports?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Jan 18, 2009, at 1:38 AM, wrote:

> Greetings,
> I have what I hope is a simple question that I /hope/ has a simple
> option. Here's my scenario; My current filtering is done on an  
> application/
> service level. While I'm anxious to migrate this to IPFW, I'm don't  
> yet
> have the time available that will be required. But I have a  
> situation that
> requires the need to drop any, and all requests from one single IP  
> address.
> So I thought I might seize this situation as an opportunity to "get my
> feet wet" with IPFW. So here's my question;
> Is it possible for me to use IPFW without altering any traffic -  
> that is;
> nothing changes on incoming/outgoing EXCEPT where this /evil/ IP is
> concerned?
> Or, can I start IPFW, and use it to ONLY drop all requests from this
> /evil/ IP
> no matter which ports that IP makes a request on?
> I can? Can/would anyone be willing to tell me how?
> Apologies in advance, I realize this is pretty "ground level stuff".  
> But I
> feel if I could get a good start, getting up to speed from there  
> will be a
> greatly shortened learning curve.
> Thank you for all your time and consideration.
> --Chris
> _______________________________________________
> mailing list
> To unsubscribe, send any mail to "freebsd-ipfw- 

In order to use ipfw, you need to have it compiled into your kernel or
you need to load the kernel module and then you need to enable
filtering and finally you need to specify some rules to control the

I am going to assume that you don't have ipfw compiled into your kernel
and will need to load the kernel module.

Probably the easiest way to get started is to define the following
variables in /etc/rc.conf or /etc/rc.conf.local, your preference.


These directives enable ipfw, tell it to block nothing, and enables  
of blocked packets.  You can then startup ipfw with the following  

# /etc/rc.d/ipfw start

You can view the filtering rules that are installed with this command:

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
65000 allow ip from any to any
65535 deny ip from any to any

The following discription of what happens is oversimplified but is  
enough to get you started with ipfw.  Each filter rule has a rule  
When a packet comes in, it is compared to each rule until there is a  
When there is a match, the specified action is carried out.  In the  
above, the only action is allow or deny.  There are other actions but  
can learn about them later as you get more comfortable with ipfw.

The first rule (100) allows all ip traffic that goes through the  
interface to go on through.  This basically says that anything on the
machine that wants to talk to anything else on the machine via the  
interface should be allowed to do it.

The second rule (200) blocks anything whose destination ip is to the
network.  The reason you want to block these packets is because  
network packets going to the network should be on the lo0  
Those packets would have been matched by rule 100 and already  
allowed.  They
would never get to rule 200.  So packets going to the  
network but
not on the lo0 interface are blocked.

The third rule (300) is similar to rule 200 except that if blocks  
that have a source address on the network that are not on  
the lo0
interface.  Once again, legitimate packets coming from a  
address should be on lo0 and already allowed by rule 100.

The fourth rule (65000) allows all ip packets with any source address  
and any
destination address to go on through the filter.

The fifth rule (65535) is installed by ipfw as the default rule.  It  
all ip packets that have not been explicitly allowed or blocked by  

Once you have these rules in place, it is easy to add a rule to block  
from the evil machine.  Assuming that you want to block all ip traffic,
including TCP, UDP, ICMP, etc., you can insert a rule after 300 and  
65000 to do this.

# ipfw add 1000 deny log ip from to any

This defines a filter rule numbered 1000 that will be evaluated after  
300.  It will deny (drop) all ip packets with a source address of and any destination address.  It will also log this  
to /var/log/security.  If you don't want to log these packets, you can
remove the word "log" from the above command.

Viewing your rules should give you the following:

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
01000 deny log ip from to any
65000 allow ip from any to any
65535 deny ip from any to any

This gives you an open firewall that only blocks packets from the evil
machine and spoofed packets.


  Kim Shrier - principal, Shrier and Deihl -
Remote Unix Network Admin, Security, Internet Software Development
   Tinker Internet Services - Superior FreeBSD-based Web Hosting

Want to link to this message? Use this URL: <>