From owner-freebsd-pf@FreeBSD.ORG  Mon Oct 27 16:37:55 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 99B3879C;
 Mon, 27 Oct 2014 16:37:55 +0000 (UTC)
Received: from mail.in-addr.com (mail.in-addr.com
 [IPv6:2a01:4f8:191:61e8::2525:2525])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5A659FB4;
 Mon, 27 Oct 2014 16:37:55 +0000 (UTC)
Received: from gjp by mail.in-addr.com with local (Exim 4.84 (FreeBSD))
 (envelope-from <gpalmer@freebsd.org>)
 id 1XinId-0002is-Pw; Mon, 27 Oct 2014 16:37:43 +0000
Date: Mon, 27 Oct 2014 16:37:43 +0000
From: Gary Palmer <gpalmer@freebsd.org>
To: Cristiano Deana <cristiano.deana@gmail.com>
Subject: Re: How to block IP range
Message-ID: <20141027163743.GC6851@in-addr.com>
References: <CBA35483CE5B4D4B804BF128A77A61650E9A16A7@HIKAWSEXMB02.ad.harman.com>
 <20141027162433.GB6851@in-addr.com>
 <CAO82ECEWOYTFSqHn9q1BzKBazvJgm_9atbh-EXfVSQamN4Pi1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAO82ECEWOYTFSqHn9q1BzKBazvJgm_9atbh-EXfVSQamN4Pi1g@mail.gmail.com>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 16:37:55 -0000

On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote:
> On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer <gpalmer@freebsd.org> wrote:
> 
> Hi
> 
> >> For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100
> 
> > tables?
> >
> > you can do things like
> >
> > table <blocked_hosts> persist file "/etc/pf/blocked_hosts.table"
> > block in quick log on $ext_if_ipv4 from <blocked_hosts> to any
> 
> I'm adding the fast way to build the file:
> 
> sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >>
> /etc/pf/blocked_hosts.table; done'

You can also make it a bit more efficient and use a few CIDR networks.  To
cover 10.0.0.1-10.0.0.100 you would need.

          10.0.0.1/32
          10.0.0.2/31
          10.0.0.4/30
          10.0.0.8/29
         10.0.0.16/28
         10.0.0.32/27
         10.0.0.64/27
         10.0.0.96/30
        10.0.0.100/32

I used an ancient perl tool called 'aggis' to get the above.  There are
probably more modern tools around.

Regards,

Gary