Date: Mon, 27 Oct 2014 16:37:43 +0000 From: Gary Palmer <gpalmer@freebsd.org> To: Cristiano Deana <cristiano.deana@gmail.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: How to block IP range Message-ID: <20141027163743.GC6851@in-addr.com> In-Reply-To: <CAO82ECEWOYTFSqHn9q1BzKBazvJgm_9atbh-EXfVSQamN4Pi1g@mail.gmail.com> References: <CBA35483CE5B4D4B804BF128A77A61650E9A16A7@HIKAWSEXMB02.ad.harman.com> <20141027162433.GB6851@in-addr.com> <CAO82ECEWOYTFSqHn9q1BzKBazvJgm_9atbh-EXfVSQamN4Pi1g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote:
> On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer <gpalmer@freebsd.org> wrote:
>
> Hi
>
> >> For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100
>
> > tables?
> >
> > you can do things like
> >
> > table <blocked_hosts> persist file "/etc/pf/blocked_hosts.table"
> > block in quick log on $ext_if_ipv4 from <blocked_hosts> to any
>
> I'm adding the fast way to build the file:
>
> sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >>
> /etc/pf/blocked_hosts.table; done'
You can also make it a bit more efficient and use a few CIDR networks. To
cover 10.0.0.1-10.0.0.100 you would need.
10.0.0.1/32
10.0.0.2/31
10.0.0.4/30
10.0.0.8/29
10.0.0.16/28
10.0.0.32/27
10.0.0.64/27
10.0.0.96/30
10.0.0.100/32
I used an ancient perl tool called 'aggis' to get the above. There are
probably more modern tools around.
Regards,
Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141027163743.GC6851>