ipfw dynamic rules
Matthew D. Fuller
fullermd at over-yonder.net
Sun Mar 23 15:00:17 UTC 2014
On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of
Julian Elischer, and lo! it spake thus:
>
> comments welcome (bugs expected)
>
>
> /sbin/ipfw table add 13 0.0.0.0/8
> /sbin/ipfw table add 13 10.0.0.0/8
> /sbin/ipfw table add 13 169.254.0.0/16
> /sbin/ipfw table add 13 172.16.0.0/12
> /sbin/ipfw table add 13 192.0.2.0/24
> /sbin/ipfw table add 13 192.168.0.0/16
> /sbin/ipfw table add 13 224.0.0.0/4
> /sbin/ipfw table add 13 240.0.0.0/4
>
> /sbin/ipfw add 2002 set 0 reject ip from any to table(13)
Missing a couple martians, and this is a bit automatable. It's sh,
after all. Out of the script on one of my servers:
----------------------
# A table for ipv4 martians
# Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
# NOTE: Source file doesn't have terminating newline; be sure to add one!
mtable="100"
bogfile="${mydir}/bogon-bn-agg.txt"
if [ -r "$bogfile" ]; then
${ipfw} table ${mtable} flush
cat $bogfile | while read block ; do
${ipfw} table ${mtable} add ${block} ;
done
fi
# ... lots of stuff elided
# Ignore
${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any
----------------------
Handy to just be able to randomly fetch(1) a new file and let the fw
keep up. Though watch out for that lacking trailing newline; I've
been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice
from forgetting.
--
Matthew Fuller (MF4839) | fullermd at over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
On the Internet, nobody can hear you scream.
More information about the freebsd-ipfw
mailing list