Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Jan 2009 14:57:53 -0700
From:      Kim Shrier <kim@tinker.com>
To:        fbsdmail@dnswatch.com
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: possible to block one address on all ports?
Message-ID:  <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com>
In-Reply-To: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com>
References:  <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote:

> Greetings,
> I have what I hope is a simple question that I /hope/ has a simple
> option. Here's my scenario; My current filtering is done on an  
> application/
> service level. While I'm anxious to migrate this to IPFW, I'm don't  
> yet
> have the time available that will be required. But I have a  
> situation that
> requires the need to drop any, and all requests from one single IP  
> address.
> So I thought I might seize this situation as an opportunity to "get my
> feet wet" with IPFW. So here's my question;
> Is it possible for me to use IPFW without altering any traffic -  
> that is;
> nothing changes on incoming/outgoing EXCEPT where this /evil/ IP is
> concerned?
> Or, can I start IPFW, and use it to ONLY drop all requests from this
> /evil/ IP
> no matter which ports that IP makes a request on?
> I can? Can/would anyone be willing to tell me how?
> Apologies in advance, I realize this is pretty "ground level stuff".  
> But I
> feel if I could get a good start, getting up to speed from there  
> will be a
> greatly shortened learning curve.
>
> Thank you for all your time and consideration.
>
> --Chris
>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw- 
> unsubscribe@freebsd.org"
>


In order to use ipfw, you need to have it compiled into your kernel or
you need to load the ipfw.so kernel module and then you need to enable
filtering and finally you need to specify some rules to control the
filtering.

I am going to assume that you don't have ipfw compiled into your kernel
and will need to load the kernel module.

Probably the easiest way to get started is to define the following
variables in /etc/rc.conf or /etc/rc.conf.local, your preference.

firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"

These directives enable ipfw, tell it to block nothing, and enables  
logging
of blocked packets.  You can then startup ipfw with the following  
command:

# /etc/rc.d/ipfw start

You can view the filtering rules that are installed with this command:

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

The following discription of what happens is oversimplified but is  
accurate
enough to get you started with ipfw.  Each filter rule has a rule  
number.
When a packet comes in, it is compared to each rule until there is a  
match.
When there is a match, the specified action is carried out.  In the  
rules
above, the only action is allow or deny.  There are other actions but  
you
can learn about them later as you get more comfortable with ipfw.

The first rule (100) allows all ip traffic that goes through the  
loopback
interface to go on through.  This basically says that anything on the
machine that wants to talk to anything else on the machine via the  
loopback
interface should be allowed to do it.

The second rule (200) blocks anything whose destination ip is to the  
127.0.0.0
network.  The reason you want to block these packets is because  
legitimate
network packets going to the 127.0.0.0 network should be on the lo0  
interface.
Those packets would have been matched by rule 100 and already  
allowed.  They
would never get to rule 200.  So packets going to the 127.0.0.0  
network but
not on the lo0 interface are blocked.

The third rule (300) is similar to rule 200 except that if blocks  
packets
that have a source address on the 127.0.0.0 network that are not on  
the lo0
interface.  Once again, legitimate packets coming from a 127.0.0.0  
network
address should be on lo0 and already allowed by rule 100.

The fourth rule (65000) allows all ip packets with any source address  
and any
destination address to go on through the filter.

The fifth rule (65535) is installed by ipfw as the default rule.  It  
blocks
all ip packets that have not been explicitly allowed or blocked by  
previous
rules.

Once you have these rules in place, it is easy to add a rule to block  
traffic
from the evil machine.  Assuming that you want to block all ip traffic,
including TCP, UDP, ICMP, etc., you can insert a rule after 300 and  
before
65000 to do this.

# ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any

This defines a filter rule numbered 1000 that will be evaluated after  
rule
300.  It will deny (drop) all ip packets with a source address of
www.xxx.yyy.zzz and any destination address.  It will also log this  
event
to /var/log/security.  If you don't want to log these packets, you can
remove the word "log" from the above command.

Viewing your rules should give you the following:

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
01000 deny log ip from www.xxx.yyy.zzz to any
65000 allow ip from any to any
65535 deny ip from any to any

This gives you an open firewall that only blocks packets from the evil
machine and spoofed 127.0.0.0/8 packets.

Kim

--
  Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com
Remote Unix Network Admin, Security, Internet Software Development
   Tinker Internet Services - Superior FreeBSD-based Web Hosting
                      http://www.tinker.com/





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4A2B0C19-799B-4C09-A887-8FDC6AE0B019>