ipfw dynamic rules

Julian Elischer julian at freebsd.org
Sun Mar 23 15:29:20 UTC 2014 

On 3/23/14, 8:00 AM, Matthew D. Fuller wrote:
> On Sun, Mar 23, 2014 at 07:47:29AM -0700 I heard the voice of
> Julian Elischer, and lo! it spake thus:
>> comments welcome (bugs expected)
>>
>>
>> /sbin/ipfw table add 13 0.0.0.0/8
>> /sbin/ipfw table add 13 10.0.0.0/8
>> /sbin/ipfw table add 13 169.254.0.0/16
>> /sbin/ipfw table add 13 172.16.0.0/12
>> /sbin/ipfw table add 13 192.0.2.0/24
>> /sbin/ipfw table add 13 192.168.0.0/16
>> /sbin/ipfw table add 13 224.0.0.0/4
>> /sbin/ipfw table add 13 240.0.0.0/4
>>
>> /sbin/ipfw add 2002 set 0 reject ip from any to table(13)
> Missing a couple martians, and this is a bit automatable.  It's sh,
> after all.  Out of the script on one of my servers:

yeah though remember this is the output stream of the script, not the 
script itself..
it was loading it up from the small table I had in a "here" file in 
the script.. could easily be done from a separate file...

What I'm hoping for is to make a script set where you specify a 'type' 
for each interface, and the script builds itself..
e.g.

interfaces="xn0 xn1 tun0 tun1 lo0"
fw_xn0_type="hostile nat"
fw_xn1_type="trusted local
fw_tun0_type="trusted remote"
fw_tun1_type="hostile nat_in"

(lo0 need not be given a type)
this would firewall xn0 and tun1 and just do sanity testing on tun0 
and xn1

Julian



>
>
> ----------------------
> # A table for ipv4 martians
> # Source: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
> # NOTE: Source file doesn't have terminating newline; be sure to add one!
> mtable="100"
> bogfile="${mydir}/bogon-bn-agg.txt"
> if [ -r "$bogfile" ]; then
> 	${ipfw} table ${mtable} flush
> 	cat $bogfile | while read block ; do
> 		${ipfw} table ${mtable} add ${block} ;
> 	done
> fi
>
> # ... lots of stuff elided
>
> # Ignore
> ${ipfw} add 1010 drop ip4 from table\(${mtable}\) to any
> ----------------------
>
>
> Handy to just be able to randomly fetch(1) a new file and let the fw
> keep up.  Though watch out for that lacking trailing newline; I've
> been left without 224.0.0.0/3 (save a slot, escew /4!) once or twice
> from forgetting.
>
>

More information about the freebsd-ipfw mailing list