FreeBSD router (IPFW-based): how to block an URL (all IPs of an
A-like HOSTNAME)
Chris
eagletree at hughes.net
Fri Jun 18 02:47:16 UTC 2010
On Jun 17, 2010, at 1:56 PM, Valerian Galeru wrote:
> Ok, very simple put:
>
> To do this without shell scripting, but this could avoid filter
> future IP addresses:
> 1. DIG HOSTNAMEs and add ipfw block rules for those IPs
> 2. DIG HOSTNAMEs and add a null rule
>
> To block all *.hostname and future IP addresses of any of
> *.hostname, there must be written a shell script, that analyzes all
> requests [have no idea how to execute a shell script LIVE!!!, any
> idea on this topic?].
>
Scripting it is not that hard, but most security advisors seem to
recommend against it since a smart attacker could use such a
thing against you. If you know the hostname and ip, there is no
reason to script it, if you don't, then you will have the script making
decisions and it's possible those decisions could be leveraged to
make you block the wrong thing. In spite of warnings, I did it
during the bot attacks in 2006 and it really saved us. With care,
it's a great solution. I'm not sure why you would do this if you
know the hostname? I am missing something there, maybe the
question of how you come to know that this host should be blocked.
If it's content, then here is another approach.
If you know the content that makes "*.hostname" be a bad
actor, snort_inline is designed for that. You run it on a socket
at startup and divert within ipfw, any traffic you want checked.
You create a snort rule to do so and drop the session if it
matches. Again, your drop rules need to be well designed, so it
has some of the same earmarks as the scripted solutions.
It does work though if you can identify a unique signature for
what *.hostname (and then *.hostname2, *.hostname3 etc)
is doing that they should be blocked. It handles some pretty
hefty traffic too though I run it on a machine in front of the
net that only does ipfw/bridging and snort_inline. It was
pretty easy to set up too. With this, I'm not suggesting a
hostname lookup but to drop sessions from hostname
based on whatever the criteria is that you use to know
that it should be blocked.
> --- On Thu, 6/17/10, Bernt Hansson <bernt at bah.homeip.net> wrote:
>
> From: Bernt Hansson <bernt at bah.homeip.net>
> Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all
> IPs of an A-like HOSTNAME)
> To: "Valerian Galeru" <valerian_ro at yahoo.com>
> Cc: freebsd-questions at freebsd.org
> Date: Thursday, June 17, 2010, 11:47 PM
>
> Valerian Galeru said the following on 2010-06-17 22:01:
>> Hello,
>>
>> Does anyone have any ideas how to block all requests using an IPFW-
>> based router
>> (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries)
>> or better, from any *.HOSTNAME.COM ????
>
> Do a whois hostname.com taking note of their ip-address range. Then,
> for ipf, put this in your rules file.
>
> ### EXAMPLE ###
>
> block in quick on fxp0 from 192.168.0.0/16 to any
> block out quick on fxp0 from any to 192.168.0.0/16
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org
> "
>
More information about the freebsd-questions
mailing list