Denying multiple IP's

Chris racerx at makeworld.com
Tue Aug 24 09:17:44 PDT 2004


I'm working with a friend of mine w/ipfw. Below are IP's that are trying 
to hack in via ssh. I suggested to use something in the form of:

# Allow in SFTP, SSH, and SCP from public Internet
${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup 
limit src-addr 4

But he mentions that he needs access to his box from potential client 
sites where the IP is unknown.

There has to be a better way to block the below - suggestions?


#
# IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs.
#

${fwcmd} add 300 deny tcp from 24.79.68.179 to any
${fwcmd} add 301 deny udp from 24.79.68.179 to any
${fwcmd} add 302 deny tcp from 64.246.20.123 to any
${fwcmd} add 303 deny udp from 64.246.20.123 to any
${fwcmd} add 304 deny tcp from 81.223.99.90 to any
${fwcmd} add 305 deny udp from 81.223.99.90 to any
${fwcmd} add 306 deny tcp from 140.112.124.123 to any
${fwcmd} add 307 deny udp from 140.112.124.123 to any
${fwcmd} add 308 deny tcp from 193.145.87.3 to any
${fwcmd} add 309 deny udp from 193.145.87.3 to any
${fwcmd} add 310 deny tcp from 203.186.157.37 to any
${fwcmd} add 311 deny udp from 203.186.157.37 to any
${fwcmd} add 312 deny tcp from 210.204.129.11 to any
${fwcmd} add 313 deny udp from 210.204.129.11 to any
${fwcmd} add 314 deny tcp from 211.60.219.250 to any
${fwcmd} add 315 deny udp from 211.60.219.250 to any
${fwcmd} add 316 deny tcp from 211.252.9.126 to any
${fwcmd} add 317 deny udp from 211.252.9.126 to any
${fwcmd} add 318 deny tcp from 218.21.129.105 to any
${fwcmd} add 319 deny udp from 218.21.129.105 to any
${fwcmd} add 320 deny tcp from 218.49.183.17 to any
${fwcmd} add 321 deny udp from 218.49.183.17 to any
${fwcmd} add 322 deny tcp from 218.102.19.78 to any
${fwcmd} add 323 deny udp from 218.102.19.78 to any
${fwcmd} add 324 deny tcp from 218.237.66.152 to any
${fwcmd} add 325 deny udp from 218.237.66.152 to any
${fwcmd} add 326 deny tcp from 221.3.131.80 to any
${fwcmd} add 327 deny udp from 221.3.131.80 to any

# Everything else is denied by default
-- 
Best regards,
Chris

The one time in the day that you lean back and relax
is the one time the boss walks through the office.


More information about the freebsd-ipfw mailing list