Blacklist IP file for IPFW?

Andreas X hamdi20193d at gmail.com
Tue Feb 18 12:45:52 UTC 2020 

Thank you all for your replies,

"For sure, the first form is broken because you have to escape the
parenthesis."
As I stated earlier, that was just the output of:
ipfw show | grep "table" command.

root at test:~ # ipfw show | grep "table"
00350 17065 1026829 deny ip from table(10) to any


My script blocks the IPs I wanted to, ONLY if I set the rule number to
*earlier* numbers, such as:
${FWCMD} 00350 add deny all from table\(10\) to any

Question is: If I don't add  the rule number 00350 to that command, that
rule gets located to 65000s, and ipfw doesn't block the IPs in table, at
all. I wanted to ask why such react, shouldn't IPFW still do the job (deny)
even if the rule number belongs to last ones?

Thank you!




Trond Endrestøl <trond.endrestol at ximalas.info>, 18 Şub 2020 Sal, 10:35
tarihinde şunu yazdı:

> On Mon, 17 Feb 2020 16:42-0600, Tim Daneliuk wrote:
>
> > On 2/17/20 10:47 AM, Andreas X wrote:
> > > Hi again,
> > >
> > > The rule:  "65500   0     0 deny ip from table(10) to any"  was
> almost the last rule and I suspected it, therefore I wanted to move the
> rule upper, changed the command:
> > >
> > > ${FWCMD} 00350 add deny all from table\(10\) to any
> > >
> > > (adding rule number 00350), now ipfw successfully blocks the IPs in
> the table.
> > > My question is, why it didn't block the IPs when it had rule number
> 65500? (It might be the last rules, but still, it has "deny"
> command..shouldn't it do the job?)
> > >
> > > Thank you.
> >
> > I'm not sure, but you're using two different rules:
> >
> > deny ip from table(10) to any
> >
> > vs.
> >
> > add deny all from table\(10\) to any
> >
> > For sure, the first form is broken because you have to escape the
> parenthesis.
>
> True.
>
> > Also, you 1st rule only blocks IP traffic, not ICMP like ping (I think,
> not sure).
>
> "ip" or "all" matches both IPv4 and IPv6, regardless of the protocols
> higher up. Thus, these two rules are equivalent:
>
> deny all from table\(10\) to any
> deny ip  from table\(10\) to any
>
> Escaping the parenthesis is still required.
>
> > Any ipfw experts care to weigh in on this?
>
> ipfw(8) sure is handy.
>
> --
> Trond.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list