Re: ipfw dynamic rules

Sun, 23 Mar 2014 08:29:55 -0700 

On 3/23/14, 8:00 AM, Matthew D. Fuller wrote:

On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of
Julian Elischer, and lo! it spake thus:

comments welcome (bugs expected)


/sbin/ipfw table add 13 0.0.0.0/8
/sbin/ipfw table add 13 10.0.0.0/8
/sbin/ipfw table add 13 169.254.0.0/16
/sbin/ipfw table add 13 172.16.0.0/12
/sbin/ipfw table add 13 192.0.2.0/24
/sbin/ipfw table add 13 192.168.0.0/16
/sbin/ipfw table add 13 224.0.0.0/4
/sbin/ipfw table add 13 240.0.0.0/4

/sbin/ipfw add 2002 set 0 reject ip from any to table(13)

Missing a couple martians, and this is a bit automatable.  It's sh,
after all.  Out of the script on one of my servers:
yeah though remember this is the output stream of the script, not the script itself.. it was loading it up from the small table I had in a "here" file in the script.. could easily be done from a separate file...
What I'm hoping for is to make a script set where you specify a 'type' for each interface, and the script builds itself.. 
e.g.

interfaces="xn0 xn1 tun0 tun1 lo0"
fw_xn0_type="hostile nat"
fw_xn1_type="trusted local
fw_tun0_type="trusted remote"
fw_tun1_type="hostile nat_in"

(lo0 need not be given a type)
this would firewall xn0 and tun1 and just do sanity testing on tun0 and xn1 

Julian






----------------------
# A table for ipv4 martians
# Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
# NOTE: Source file doesn't have terminating newline; be sure to add one!
mtable="100"
bogfile="${mydir}/bogon-bn-agg.txt"
if [ -r "$bogfile" ]; then
        ${ipfw} table ${mtable} flush
        cat $bogfile | while read block ; do
                ${ipfw} table ${mtable} add ${block} ;
        done
fi

# ... lots of stuff elided

# Ignore
${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any
----------------------


Handy to just be able to randomly fetch(1) a new file and let the fw
keep up.  Though watch out for that lacking trailing newline; I've
been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice
from forgetting.




_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Reply via email to