misc/176344: Add support for firewall deny lists (workstation type)

Fri Feb 22 10:10:02 UTC 2013

>Number:         176344
>Category:       misc
>Synopsis:       Add support for firewall deny lists (workstation type)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 22 10:10:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Noor Dawod
>Release:        9.1-PRERELEASE Wed Nov 21 UTC 2012
>Organization:
>Environment:
FreeBSD hidden 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Wed Nov 21 08:36:35 UTC 2012     root at hidden:/usr/obj/usr/src/sys/CUSTOM  amd64
>Description:
ipfw has a handly configuration section in rc.conf to ease firewalling. In the 'workstation' type, however, there is a way to allow full access for selected clients, but no way for denying it for others.

The attached patches would add that support. Since lists of IP's could grow big, I've opted to using files to host the list of addresses, as opposed to writing the list in rc.conf.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- /etc/defaults/rc.conf	2013-02-22 09:37:36.000000000 +0000
+++ /etc/defaults/rc.conf-new	2013-02-22 09:37:44.000000000 +0000
@@ -153,6 +153,11 @@
 				# firewall.
 firewall_trusted=""		# List of IPs which have full access to this
 				# host for "workstation" firewall.
+firewall_denied=""              # List of files containing IPv4 and/or IPv6
+                                # addresses that have no access to this host.
+firewall_denied_rule="550"      # ipfw rule number used to host all rules   
+                                # denying access to hosts listed in the files
+                                # in $firewall_denied.
 firewall_logdeny="NO"		# Set to YES to log default denied incoming
 				# packets for "workstation" firewall.
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports

--- /etc/rc.firewall	2012-11-21 09:08:57.000000000 +0000
+++ /etc/rc.firewall-new	2013-02-22 09:40:30.000000000 +0000
@@ -433,6 +433,12 @@
 	#				 This option can seriously degrade
 	#				 the level of protection provided by
 	#				 the firewall.
+	#  firewall_denied:		List of files containing IPv4 and/or
+	#				 IPv6 addresses that have no access
+	#				 to this host.
+	#  firewall_denied_rule:	ipfw rule number used to host all
+	#				 rules denying access to hosts listed
+	#				 in the files in $firewall_denied.
 	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
 	#				 default denied packets should be
 	#				 logged (in /var/log/security).
@@ -498,6 +504,31 @@
 	  ${fwcmd} add pass ip from $i to me
 	done
 
+	# If specified, deny hosts from reaching this machine.
+	for i in ${firewall_denied} ; do
+		# check that file exists first.
+		if [ -f $i ]; then
+			oldIFS=$IFS
+			IFS="
+"
+			# Go over all IPs listed in the file.
+			for ip in `cat $i` ; do
+				# Block IP if first character isn't a dash.
+				i=${ip%${ip#?}}
+				if [ $i != "#" ]; then
+					# Cut string when first space is found.
+					# Practical for Postfix files and geographic
+					# CIDR's obtained from online sources.
+					ip=`echo $ip | cut -d " " -f 1`
+
+					# Add block rule for target IP.
+					${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me
+				fi
+			done
+			IFS=$oldIFS
+		fi
+	done
+
 	${fwcmd} add 65000 count ip from any to any
 
 	# Drop packets to ports where we don't want logging


>Release-Note:
>Audit-Trail:
>Unformatted:
