Other Blocking IP addresses from a program

[Харбин Хэйлунцзян]

From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?

 

[Alain De Vos]

application firewall is that not Windows ?

 

[Харбин Хэйлунцзян]

is that not Windows ?

I don't quite understand your question but ipfw comes with FreeBSD:

ipfw(8)

 

[Alain De Vos]

Does ipfw has application firewall ?

 

[Alain De Vos]

Note my config this for ALL applications, it could give an idea,
cat ipfw.rules

cmd="/sbin/ipfw -q add"   # Set rules command prefix
pif="em0"
/sbin/ipfw -q -f flush    # Flush out the list before we begin.

# No restrictions on Loopback Interface
$cmd 01000 allow ip        from any to any via lo0

### ICMP
$cmd 01110 allow icmp      from any to any
$cmd 01120 allow ipv6-icmp from any to any
$cmd 01121 allow ipv6      from any to any

# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state

### OUTGOING
# Allow access to outside
$cmd 03010 allow tcp  from any to any out via $pif setup keep-state
$cmd 03020 allow udp  from any to any out via $pif keep-state

### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 04010 deny all from 192.168.0.0/16  to any in via $pif #RFC 1918 private IP
$cmd 04020 deny all from 172.16.0.0/12   to any in via $pif #RFC 1918 private IP
$cmd 04030 deny all from 10.0.0.0/8      to any in via $pif #RFC 1918 private IP
$cmd 04040 deny all from 127.0.0.0/8     to any in via $pif #loopback
$cmd 04050 deny all from 0.0.0.0/8       to any in via $pif #loopback
$cmd 04060 deny all from 169.254.0.0/16  to any in via $pif #DHCP auto-config
$cmd 04070 deny all from 192.0.2.0/24    to any in via $pif #reserved for docs
$cmd 04080 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 04090 deny all from 224.0.0.0/3     to any in via $pif #Class D & E multicast

$cmd 05010 deny ip  from any to ::1 in via $pif
$cmd 05020 deny ip  from ::1 to any in via $pif

#ICMP
$cmd 06010 allow ipv6-icmp from :: to  ff02::/16
$cmd 06020 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 06030 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 06040 allow ipv6-icmp from any to any icmp6types 1,2,135,136

# Deny fragments
$cmd 07010 deny all from any        to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 07020 deny tcp from any to any established in via $pif

# Allow incoming access from localnet
#$cmd X allow tcp from 192.168.1.0/24 to any in via $pif setup keep-state
#$cmd X allow udp from 192.168.1.0/24 to any in via $pif keep-state

$cmd 08010 reject log all from any to any
$cmd 08020 deny   log all from any to any
/sbin/ipfw list

 

[Харбин Хэйлунцзян]

Note my config this for ALL applications, it could give an idea,

I do not need that. The handbook has enough of that and my ipfw is configured to my heart's content.

I guess my English is not perfect but I cannot explain my need any better than I have already done in the original posting.

 

[atax1a]

From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?

so, you have a program that gets, say, login requests, and you want to firewall off users who make too many bad requests in a timespan?

you can use the Blocklist functions — https://man.freebsd.org/cgi/man.cgi...th=FreeBSD+15.0-RELEASE+and+Ports&format=html

we do this in an http service with some tricky rules to block web scrapers: https://fossil.se30.xyz/ratrap

 

[Alain De Vos]

Explain your program. What is it doing ? Activity ? Server ? Public on internet ? Or behind firewall ? If needed we use "google translate"

 

[Харбин Хэйлунцзян]

you can use the Blocklist functions — https://man.freebsd.org/cgi/man.cgi...th=FreeBSD+15.0-RELEASE+and+Ports&format=html

I didn't know about this service. Will have to try and learn about it.

we do this in an http service with some tricky rules to block web scrapers: https://fossil.se30.xyz/ratrap

Mine is a http service too. Thanks.

 

[atax1a]

I didn't know about this service. Will have to try and learn about it.



Mine is a http service too. Thanks.

the problem with HTTP services is that unless you're a module in the webserver, you don't have the actual client socket, so you have to do some tricks to get blocklist_sa_r to play nice, and then you also have to make the rules line up. our ratrap service does all that but we did it in ocaml. :T

 

[Харбин Хэйлунцзян]

the problem with HTTP services is that unless you're a module in the webserver, you don't have the actual client socket

I do not understand that. I listen(2) on port 80 and accept(2) an incoming connection. What could be wrong with the socket I get?

 

[atax1a]

I do not understand that. I listen(2) on port 80 and accept(2) an incoming connection. What could be wrong with the socket I get?

oh in that case then you're in a situation where you do have the direct client socket. in my situation there were proxies involved, hence the indirection. you should be able to just use the blocklist functions directly.

 

[freebsd_lg]

Run the program as a separate user name and use ipfw with uid control.
man su
man ipfw
some like this
su - user -c "your_program"
ipfw add allow all from any to any uid user

 

[SirDice]

I listen(2) on port 80 and accept(2) an incoming connection.

So it's something you coded yourself? Add libblocklist(3) functions, then you can let blocklistd(8) add those rules dynamically.