Best way to do country bans using a FreeBSD firewall?

If you want to ban Latvia... you can
$ fetch -q -m -o /path/to/latvian_ips [url]http://www.nic.lv/local.net[/url]
To get Latvian IP's

Probably you can do something similar for other countries

After that is' matter of loading IP's to firewall table and adding proper rule
 
graudeejs said:
If you want to ban Latvia... you can
$ fetch -q -m -o /path/to/latvian_ips [url]http://www.nic.lv/local.net[/url]
To get Latvian IP's

Probably you can do something similar for other countries

After that is' matter of loading IP's to firewall table and adding proper rule
Click to expand...

Could you show me the proper rules to add in ipfw? For example, what would I input if I want to block these IP's:
http://www.ipdeny.com/ipblocks/data/countries/aw.zone
 
DutchDaemon said:
Use pf, so you can put IP ranges in files and load them as tables.
Click to expand...

Hey DutchDaemon, do you have any good PF tutorials for a newbie on FreeBSD 8.1?
 
pf, ipf and ipfw are all part of the FreeBSD base system.. Note that pfctl is not some magical, stand-alone program. It is a tool to manipulate the pf packet filter, together with the pf.conf ruleset. There are hundreds of examples on the web and on these forums.
 
I gave you the command that will do just that; just download the URL to a local file with e.g. fetch(1) and load it as a pf table. It understands CIDR notation. Don't think of 'scripts' right now, just learn how to use pf, how to write a pf.conf, and how to use pfctl.
 
DutchDaemon said:
I gave you the command that will do just that; just download the URL to a local file with e.g. fetch(1) and load it as a pf table. It understands CIDR notation. Don't think of 'scripts' right now, just learn how to use pf, how to write a pf.conf, and how to use pfctl.
Click to expand...

Alrighty, reading through your tutorials right now, thanks again.

This is how you start it as I understand?
Code: 
/etc/rc.d/pf start
 
As you will read [...] one normally starts it from rc.conf(5), in order to boot it with the system. Seriously though: read the documentation, because everything you could ask is in there sooner or later, and there are dozens of topics on it in here.
 
This config:
Code: 
table <cn-block> persist file "/usr/local/www/cn.zone"
block in log quick on $ext_if from <cn-block> to any
block out log quick on $ext_if from any to <cn-block>

Gives me back:
Code: 
# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:2: macro 'ext_if' not defined
/etc/pf.conf:2: syntax error
/etc/pf.conf:3: macro 'ext_if' not defined
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled
.
 
Do you guys think this is working now?
Code: 
# pfctl -d ; pfctl -e -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf not enabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
block drop in log quick on sis0 from <cn-block> to any
block drop out log quick on sis0 from any to <cn-block>

INFO:
Status: Enabled for 0 days 00:00:12           Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                            2228          185.7/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                               2228          185.7/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   100000

TABLES:
cn-block

OS FINGERPRINTS:
696 fingerprints loaded
 
The Handbook has a section on PF, along with a link to the PF FAQ.

Wholesale blocking of countries by IP address may not be effective at whatever you're trying to achieve.
 
It doesn't seem to work.

I think I might have the wrong name on this: ### macro name for external interface.

How do I find out my "macro name for external interface", please?
 
wblock@ said:
The Handbook has a section on PF, along with a link to the PF FAQ.

Wholesale blocking of countries by IP address may not be effective at whatever you're trying to achieve.
Click to expand...

Well, what I'm trying to achieve is blocking certain countries from posting on my site.
 
Everytime I do pfctl -s all

The State Table total increases. I'm guessing this is normal?
 
Okay, when I use proxies of the countries I blocked either two things happen:
They load forever or they 503.

This is... normal? This is what I want, right?
 
Could I please get an explanation to what this stuff means?

Code: 
State Table                          Total             Rate
  current entries                       21              
  searches                           23269           23.4/s
  inserts                              289            0.3/s
  removals                             268            0.3/s
Counters
  match                               3941            4.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                             705            0.7/s
 
graudeejs said:
$ grep -v -e '^#' '/path/to/ip/list' | xargs -n 1 ipfw -q table $TABLE_NUMBER add
Click to expand...

Thanks again graudeejs, but I think I got it.

Unfortunately my site loads at half a second slower now, is this normal?
 
You must log in or register to reply here.
Back
Top