graudeejs said:If you want to ban Latvia... you can
$ fetch -q -m -o /path/to/latvian_ips [url]http://www.nic.lv/local.net[/url]
To get Latvian IP's
Probably you can do something similar for other countries
After that is' matter of loading IP's to firewall table and adding proper rule
DutchDaemon said:Use pf, so you can put IP ranges in files and load them as tables.
DutchDaemon said:ipfw does not load tables from files, so you have to script additions and deletions, one by one. That's a major PITA. You can load an altered list of IPs in pf like this:
[cmd=]/sbin/pfctl -t annoying-hosts -Tr -f /tmp/annoying-hosts[/cmd]
pf.conf(5)
Tutorials/FAQs: http://www.bsdly.net/~peter/pf.html / http://www.openbsd.org/faq/pf/ / http://www.benzedrine.cx/pf.html
DutchDaemon said:I gave you the command that will do just that; just download the URL to a local file with e.g. fetch(1) and load it as a pf table. It understands CIDR notation. Don't think of 'scripts' right now, just learn how to use pf, how to write a pf.conf, and how to use pfctl.
/etc/rc.d/pf start
table <cn-block> persist file "/usr/local/www/cn.zone"
block in log quick on $ext_if from <cn-block> to any
block out log quick on $ext_if from any to <cn-block>
# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:2: macro 'ext_if' not defined
/etc/pf.conf:2: syntax error
/etc/pf.conf:3: macro 'ext_if' not defined
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled
.
# pfctl -d ; pfctl -e -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf not enabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
block drop in log quick on sis0 from <cn-block> to any
block drop out log quick on sis0 from any to <cn-block>
INFO:
Status: Enabled for 0 days 00:00:12 Debug: Urgent
State Table Total Rate
current entries 0
searches 2228 185.7/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 2228 185.7/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 100000
TABLES:
cn-block
OS FINGERPRINTS:
696 fingerprints loaded
wblock@ said:The Handbook has a section on PF, along with a link to the PF FAQ.
Wholesale blocking of countries by IP address may not be effective at whatever you're trying to achieve.
State Table Total Rate
current entries 21
searches 23269 23.4/s
inserts 289 0.3/s
removals 268 0.3/s
Counters
match 3941 4.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 705 0.7/s
graudeejs said:$ grep -v -e '^#' '/path/to/ip/list' | xargs -n 1 ipfw -q table $TABLE_NUMBER add