Solved Blocking IP addresses from a program

Х

Харбин Хэйлунцзян

From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?
 
Note my config this for ALL applications, it could give an idea,
cat ipfw.rules
Code: 
cmd="/sbin/ipfw -q add"   # Set rules command prefix
pif="em0"
/sbin/ipfw -q -f flush    # Flush out the list before we begin.

# No restrictions on Loopback Interface
$cmd 01000 allow ip        from any to any via lo0

### ICMP
$cmd 01110 allow icmp      from any to any
$cmd 01120 allow ipv6-icmp from any to any
$cmd 01121 allow ipv6      from any to any

# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state

### OUTGOING
# Allow access to outside
$cmd 03010 allow tcp  from any to any out via $pif setup keep-state
$cmd 03020 allow udp  from any to any out via $pif keep-state

### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 04010 deny all from 192.168.0.0/16  to any in via $pif #RFC 1918 private IP
$cmd 04020 deny all from 172.16.0.0/12   to any in via $pif #RFC 1918 private IP
$cmd 04030 deny all from 10.0.0.0/8      to any in via $pif #RFC 1918 private IP
$cmd 04040 deny all from 127.0.0.0/8     to any in via $pif #loopback
$cmd 04050 deny all from 0.0.0.0/8       to any in via $pif #loopback
$cmd 04060 deny all from 169.254.0.0/16  to any in via $pif #DHCP auto-config
$cmd 04070 deny all from 192.0.2.0/24    to any in via $pif #reserved for docs
$cmd 04080 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 04090 deny all from 224.0.0.0/3     to any in via $pif #Class D & E multicast

$cmd 05010 deny ip  from any to ::1 in via $pif
$cmd 05020 deny ip  from ::1 to any in via $pif

#ICMP
$cmd 06010 allow ipv6-icmp from :: to  ff02::/16
$cmd 06020 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 06030 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 06040 allow ipv6-icmp from any to any icmp6types 1,2,135,136

# Deny fragments
$cmd 07010 deny all from any        to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 07020 deny tcp from any to any established in via $pif

# Allow incoming access from localnet
#$cmd X allow tcp from 192.168.1.0/24 to any in via $pif setup keep-state
#$cmd X allow udp from 192.168.1.0/24 to any in via $pif keep-state

$cmd 08010 reject log all from any to any
$cmd 08020 deny   log all from any to any
/sbin/ipfw list
 
Харбин Хэйлунцзян said:
From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?
Click to expand...
so, you have a program that gets, say, login requests, and you want to firewall off users who make too many bad requests in a timespan?

you can use the Blocklist functions — https://man.freebsd.org/cgi/man.cgi...th=FreeBSD+15.0-RELEASE+and+Ports&format=html

we do this in an http service with some tricky rules to block web scrapers: https://fossil.se30.xyz/ratrap
 
Explain your program. What is it doing ? Activity ? Server ? Public on internet ? Or behind firewall ? If needed we use "google translate" :)
 
Харбин Хэйлунцзян said:
I didn't know about this service. Will have to try and learn about it.



Mine is a http service too. Thanks.
Click to expand...
the problem with HTTP services is that unless you're a module in the webserver, you don't have the actual client socket, so you have to do some tricks to get blocklist_sa_r to play nice, and then you also have to make the rules line up. our ratrap service does all that but we did it in ocaml. :T
 
Run the program as a separate user name and use ipfw with uid control.
man su
man ipfw
some like this
su - user -c "your_program"
ipfw add allow all from any to any uid user
 
What he want is something like littlesnitch on Mac/OS, ie a per app fw. IMHO, the only way to do this on FreeBSD is to use many UID as needed, and launch apps with their own uid like freebsd_lg said above. Dont know other way to do that. And yes, it's sometimes very useful.
 
atax1a said:
this is the purpose of the blocklistd service as recommended upthread.
Click to expand...

Yes, this is the ready FreeBSD solution, described in the Handbook. I wonder how I could have missed it.

But in the end I decided not to use it. :) First, they do not have any examples of using it with ipfw and I thought writing my own service would be easier than trying to find out how do that. Secondly, it requires the socket which it needs to decide if my service has the right to do what it wants to do. That is the socket I would rather close as soon as I can and I thought I only need a dumb servant who would silently carry out the order to block an address.

Yet, the acquaintance with this service lead me to the correct solution. The worst point in the approach that I pursued was that I was going to control the firewall from an http service. To control the firewall willy-nilly you need to run it as root and my partner point-blank refused to run an http service with this sort of privileges. The solution is obvious - to write a separate service which only listens on 127.0.0.1 for commands. One bonus is that now our service does not need to bother about timely unblocking - this is the task of the ancillary blocking service. Furthermore in the main service that would be done on the map of all addresses in work while the blocking service only knows about the blocked ones.

Finally, we do not add or delete rules, there is just one rule:

Code: 
ipfw -q add 00200 deny tcp from 'table(BT0)' to 192.168.1.17 80 in via re0

The addresses are added to the table and deleted from it.

We monitor connections per second, packets per second, and requests for large documents per second. It works. In the last three days our service has blocked these addresses:

185.146.233.219
5.230.122.201
163.5.214.40
192.253.248.169
194.31.223.191

Once again I thank atax1a and SirDice for pointing me into the right direction.

-
 
in our Ratrap code we use a similar technique with the sockets by way of th blocklist_sa_r interface. as far as working with ipfw goes, that's all abstracted out via the control script. glad you've found a solution though!
 
You must log in or register to reply here.
Back
Top