using tables with ipfw
887 views
Skip to first unread message
Robert Huff
Jun 9, 2021, 11:55:22 AM6/9/21
to ques...@freebsd.org
I've read the man page ... and am insufficiently enlightened.
Is there a place with clear examples on how to use tables with
ipfw? Specifically, adding entries to a table and having the new
values take effect?
Respectfully,
Robert Huff
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Valeri Galtsev
Jun 9, 2021, 12:29:45 PM6/9/21
to freebsd-...@freebsd.org
On 6/9/21 10:55 AM, Robert Huff wrote:
>
> I've read the man page ... and am insufficiently enlightened.
> Is there a place with clear examples on how to use tables with
> ipfw? Specifically, adding entries to a table and having the new
> values take effect?
>
This is what I do when I use ipfw tables (e.g. blocking port 25 access
from unwanted networks; my users will send from these networks via port
465 as authenticated users...):
1. I put unwanted networks into file /usr/local/etc/xxxx.spam like:
1.0.0.0/8
26.0.0.0/8
36.16.0.0/12
49.64.0.0/11
58.208.0.0/12
59.0.0.0/8
60.0.0.0/8
106.0.0.0/8
114.224.0.0/12
# ....
2. Then I create table, and fill it with above:
ipfw table 1 create
cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add
3. I have the following in my /etc/ipfw.rules:
$cmd 618 deny all from 'table(1)' to [my IP here]/32 25 in via $pif
(where $pif is public interface defined at the beginning of ipfw.rules)
4. To re-create on the fly table after adding new block of addresses:
ipfw table 1 list
ipfw table 1 flush
cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add
ipfw table 1 list
5. And for things to happen at the start, the /etc/ipfw.rules has the
following lines close to the beginning of the file:
# Create table
ipfw table 1 create
cat /usr/local/etc/xxxx.spam | xargs -n1 ipfw table 1 add
This pretty much covers all I do with tables. Oh, I forgot one thing,
you cal also add to tables what sshguard produces quite similarly, just
by piping sshguard's file of IPs into separate table...
I hope, this helps.
Valeri
>
> Respectfully,
>
>
> Robert Huff
>
>
>
> _______________________________________________
> freebsd-...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Lowell Gilbert
Jun 9, 2021, 2:33:36 PM6/9/21
to Robert Huff, ques...@freebsd.org
Robert Huff <rober...@rcn.com> writes:
> I've read the man page ... and am insufficiently enlightened.
> Is there a place with clear examples on how to use tables with
> ipfw? Specifically, adding entries to a table and having the new
> values take effect?
I was going to show you my firewall script, but
> I've read the man page ... and am insufficiently enlightened.
> Is there a place with clear examples on how to use tables with
> ipfw? Specifically, adding entries to a table and having the new
> values take effect?
the default /etc/rc.firewall is as good an example:
it uses a table for RFC1918 addresses.
Be well.
Reply all
Reply to author
Forward
0 new messages