On 3/23/14, 8:00 AM, Matthew D. Fuller wrote:
On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of
Julian Elischer, and lo! it spake thus:
comments welcome (bugs expected)
/sbin/ipfw table add 13 0.0.0.0/8
/sbin/ipfw table add 13 10.0.0.0/8
/sbin/ipfw table add 13 169.254.0.0/16
/sbin/ipfw table add 13 172.16.0.0/12
/sbin/ipfw table add 13 192.0.2.0/24
/sbin/ipfw table add 13 192.168.0.0/16
/sbin/ipfw table add 13 224.0.0.0/4
/sbin/ipfw table add 13 240.0.0.0/4
/sbin/ipfw add 2002 set 0 reject ip from any to table(13)
Missing a couple martians, and this is a bit automatable. It's sh,
after all. Out of the script on one of my servers:
yeah though remember this is the output stream of the script, not the
script itself..
it was loading it up from the small table I had in a "here" file in
the script.. could easily be done from a separate file...
What I'm hoping for is to make a script set where you specify a 'type'
for each interface, and the script builds itself..
e.g.
interfaces="xn0 xn1 tun0 tun1 lo0"
fw_xn0_type="hostile nat"
fw_xn1_type="trusted local
fw_tun0_type="trusted remote"
fw_tun1_type="hostile nat_in"
(lo0 need not be given a type)
this would firewall xn0 and tun1 and just do sanity testing on tun0
and xn1
Julian
----------------------
# A table for ipv4 martians
# Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
# NOTE: Source file doesn't have terminating newline; be sure to add one!
mtable="100"
bogfile="${mydir}/bogon-bn-agg.txt"
if [ -r "$bogfile" ]; then
${ipfw} table ${mtable} flush
cat $bogfile | while read block ; do
${ipfw} table ${mtable} add ${block} ;
done
fi
# ... lots of stuff elided
# Ignore
${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any
----------------------
Handy to just be able to randomly fetch(1) a new file and let the fw
keep up. Though watch out for that lacking trailing newline; I've
been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice
from forgetting.
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"