misc/176347: Add support for firewall deny lists (workstation type)

Noor Dawod site.freebsd at orientalsensation.com
Fri Feb 22 10:50:02 UTC 2013 

>Number:         176347
>Category:       misc
>Synopsis:       Add support for firewall deny lists (workstation type)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 22 10:50:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Noor Dawod
>Release:        9.1-PRERELEASE Wed Nov 21 UTC 2012
>Organization:
>Environment:
FreeBSD hidden 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Wed Nov 21 08:36:35 UTC 2012     root at hidden:/usr/obj/usr/src/sys/CUSTOM  amd64
>Description:
ipfw has a handly configuration section in rc.conf to ease firewalling. In the 'workstation' type, however, there is a way to allow full access for selected clients, but no way for denying it for others.

The attached patches would add that support. Since lists of IP's could grow big, I've opted to using files to host the list of addresses, as opposed to writing the list in rc.conf.

I've made it possible so that either all IP-related traffic is blocked, or specific TCP ports are blocked. The user can decide that easily via rc.conf.

Please pay attention that this supersedes pr=176344 which I had sent an hour ago; this PR adds support for selective TCP ports.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- /etc/defaults/rc.conf	2013-02-22 09:37:36.000000000 +0000
+++ /etc/defaults/rc.conf-new	2013-02-22 10:42:15.000000000 +0000
@@ -153,6 +153,14 @@
 				# firewall.
 firewall_trusted=""		# List of IPs which have full access to this
 				# host for "workstation" firewall.
+firewall_denied=""		# List of files containing IPv4 and/or IPv6
+				# addresses that have no access to this host.
+firewall_denied_rule="550"	# ipfw rule number used to host all rules
+				# denying access to this host.
+firewall_denied_services="*"	# List of TCP ports on which this host
+				# denies services for "workstation" firewall.
+				# If '*' is entered, then all services will
+				# be blocked, TCP or UDP.
 firewall_logdeny="NO"		# Set to YES to log default denied incoming
 				# packets for "workstation" firewall.
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports

--- /etc/rc.firewall	2012-11-21 09:08:57.000000000 +0000
+++ /etc/rc.firewall-new	2013-02-22 10:39:02.000000000 +0000
@@ -433,6 +433,18 @@
 	#				 This option can seriously degrade
 	#				 the level of protection provided by
 	#				 the firewall.
+	#  firewall_denied:		List of files containing IPv4 and/or
+	#				 IPv6 addresses that have no access
+	#				 to this host.
+	#  firewall_denied_rule:	ipfw rule number used to host all
+	#				 rules denying access to hosts listed
+	#				 in the files in $firewall_denied.
+	#  firewall_denied_rule:	ipfw rule number used to host all rules
+	#				 denying access to this host.
+	#  firewall_denied_services:	List of TCP ports on which this host
+	#				 denies services for "workstation" firewall.
+	#				 If '*' is entered, then all services
+	#				 will be blocked, TCP or UDP.
 	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
 	#				 default denied packets should be
 	#				 logged (in /var/log/security).
@@ -498,6 +510,36 @@
 	  ${fwcmd} add pass ip from $i to me
 	done
 
+	# If specified, deny hosts from reaching this machine.
+	ds=`echo ${firewall_denied_services} | sed 's/ /,/g'`
+	for i in ${firewall_denied} ; do
+		# check that file exists first.
+		if [ -f $i ]; then
+			oldIFS=$IFS
+			IFS="
+"
+			# Go over all IPs listed in the file.
+			for ip in `cat $i` ; do
+				# Block IP if first character isn't a dash.
+				i=${ip%${ip#?}}
+				if [ $i != "#" ]; then
+					# Cut string when first space is found.
+					# Practical for Postfix files and geographic
+					# CIDR's obtained from online sources.
+					ip=`echo $ip | cut -d " " -f 1`
+
+					# Add block rule for target IP.
+					if [ "*" = $ds ]; then
+						${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me
+					else
+						${fwcmd} add ${firewall_denied_rule} deny tcp from $ip to me $ds in
+					fi
+				fi
+			done
+			IFS=$oldIFS
+		fi
+	done
+
 	${fwcmd} add 65000 count ip from any to any
 
 	# Drop packets to ports where we don't want logging


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list