From owner-freebsd-questions@FreeBSD.ORG Wed Sep 21 17:20:27 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03B481065686 for ; Wed, 21 Sep 2011 17:20:27 +0000 (UTC) (envelope-from ken@mthelicon.com) Received: from hercules.mthelicon.com (hercules.mthelicon.com [66.90.118.40]) by mx1.freebsd.org (Postfix) with ESMTP id CA7EE8FC15 for ; Wed, 21 Sep 2011 17:20:26 +0000 (UTC) Received: from feathers.peganest.com ([46.68.73.4]) (authenticated bits=0) by hercules.mthelicon.com (8.14.3/8.14.3) with ESMTP id p8LH9Clb015176 for ; Wed, 21 Sep 2011 17:09:13 GMT (envelope-from ken@mthelicon.com) From: Pegasus Mc Cleaft Organization: Feathers To: freebsd-questions@freebsd.org Date: Wed, 21 Sep 2011 18:04:53 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.0-BETA2; KDE/4.6.5; amd64; ; ) References: <20110921130608.GA3759@mauricio-desktop> In-Reply-To: <20110921130608.GA3759@mauricio-desktop> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201109211804.53830.ken@mthelicon.com> X-Spam-Status: No, score=-1.1 required=15.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on hercules.mthelicon.com Subject: Re: Blacklisting DOS IPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 17:20:27 -0000 On Wednesday 21 September 2011 14:06:08 Mauricio L=F3pez wrote: > I'm thinking about making an script using awk and pftop output to watch > for states that have more than 1Mb of traffic (regular DNS queries > aren't that big) and put those hosts in a table for blocking. My > question is if it is there some other more efficient solution for this > problem. >=20 > Thanks in advance Hi Mauricio,=20 I dont know if this will help you, but this is a script I made years ago=20 that I use on my machines. I call the script using cron once a day and let= =20 IPFW do the filtering for me HTH Peg #!/bin/sh #automatically fetch the spamhaus zone ban list cd /root /usr/bin/fetch http://www.spamhaus.org/drop/drop.lasso #Let drop all of set 11 from the firewall /sbin/ipfw delete set 11 #Starting Rule Number Counter=3D1000 #lets parse the file and cut out the piece we want for i in `cut -d " " -f 1 drop.lasso | grep -v ";"` do echo "Adding rule for: $i " Counter=3D`expr $Counter + 1` ##Lets add the rule into set 11 /sbin/ipfw add $Counter set 11 deny ip from $i to any Counter=3D`expr $Counter + 1` /sbin/ipfw add $Counter set 11 deny ip from any to $i done