Date: Sun, 23 Mar 2014 08:29:09 -0700 From: Julian Elischer <julian@freebsd.org> To: "Matthew D. Fuller" <fullermd@over-yonder.net> Cc: ipfw@freebsd.org, Ian Smith <smithi@nimnet.asn.au> Subject: Re: ipfw dynamic rules Message-ID: <532EFDC5.7060605@freebsd.org> In-Reply-To: <20140323150014.GE96701@over-yonder.net> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> <532E7398.5090607@freebsd.org> <20140324000439.F87212@sola.nimnet.asn.au> <532EF401.80506@freebsd.org> <20140323150014.GE96701@over-yonder.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/23/14, 8:00 AM, Matthew D. Fuller wrote: > On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of > Julian Elischer, and lo! it spake thus: >> comments welcome (bugs expected) >> >> >> /sbin/ipfw table add 13 0.0.0.0/8 >> /sbin/ipfw table add 13 10.0.0.0/8 >> /sbin/ipfw table add 13 169.254.0.0/16 >> /sbin/ipfw table add 13 172.16.0.0/12 >> /sbin/ipfw table add 13 192.0.2.0/24 >> /sbin/ipfw table add 13 192.168.0.0/16 >> /sbin/ipfw table add 13 224.0.0.0/4 >> /sbin/ipfw table add 13 240.0.0.0/4 >> >> /sbin/ipfw add 2002 set 0 reject ip from any to table(13) > Missing a couple martians, and this is a bit automatable. It's sh, > after all. Out of the script on one of my servers: yeah though remember this is the output stream of the script, not the script itself.. it was loading it up from the small table I had in a "here" file in the script.. could easily be done from a separate file... What I'm hoping for is to make a script set where you specify a 'type' for each interface, and the script builds itself.. e.g. interfaces="xn0 xn1 tun0 tun1 lo0" fw_xn0_type="hostile nat" fw_xn1_type="trusted local fw_tun0_type="trusted remote" fw_tun1_type="hostile nat_in" (lo0 need not be given a type) this would firewall xn0 and tun1 and just do sanity testing on tun0 and xn1 Julian > > > ---------------------- > # A table for ipv4 martians > # Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt > # NOTE: Source file doesn't have terminating newline; be sure to add one! > mtable="100" > bogfile="${mydir}/bogon-bn-agg.txt" > if [ -r "$bogfile" ]; then > ${ipfw} table ${mtable} flush > cat $bogfile | while read block ; do > ${ipfw} table ${mtable} add ${block} ; > done > fi > > # ... lots of stuff elided > > # Ignore > ${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any > ---------------------- > > > Handy to just be able to randomly fetch(1) a new file and let the fw > keep up. Though watch out for that lacking trailing newline; I've > been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice > from forgetting. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?532EFDC5.7060605>