Other Blocking IP addresses from a program

[Харбин Хэйлунцзян]

From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?

 

[Alain De Vos]

application firewall is that not Windows ?

 

[Харбин Хэйлунцзян]

is that not Windows ?

I don't quite understand your question but ipfw comes with FreeBSD:

ipfw(8)

 

[Alain De Vos]

Does ipfw has application firewall ?

 

[Alain De Vos]

Note my config this for ALL applications, it could give an idea,
cat ipfw.rules

cmd="/sbin/ipfw -q add"   # Set rules command prefix
pif="em0"
/sbin/ipfw -q -f flush    # Flush out the list before we begin.

# No restrictions on Loopback Interface
$cmd 01000 allow ip        from any to any via lo0

### ICMP
$cmd 01110 allow icmp      from any to any
$cmd 01120 allow ipv6-icmp from any to any
$cmd 01121 allow ipv6      from any to any

# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state

### OUTGOING
# Allow access to outside
$cmd 03010 allow tcp  from any to any out via $pif setup keep-state
$cmd 03020 allow udp  from any to any out via $pif keep-state

### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 04010 deny all from 192.168.0.0/16  to any in via $pif #RFC 1918 private IP
$cmd 04020 deny all from 172.16.0.0/12   to any in via $pif #RFC 1918 private IP
$cmd 04030 deny all from 10.0.0.0/8      to any in via $pif #RFC 1918 private IP
$cmd 04040 deny all from 127.0.0.0/8     to any in via $pif #loopback
$cmd 04050 deny all from 0.0.0.0/8       to any in via $pif #loopback
$cmd 04060 deny all from 169.254.0.0/16  to any in via $pif #DHCP auto-config
$cmd 04070 deny all from 192.0.2.0/24    to any in via $pif #reserved for docs
$cmd 04080 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 04090 deny all from 224.0.0.0/3     to any in via $pif #Class D & E multicast

$cmd 05010 deny ip  from any to ::1 in via $pif
$cmd 05020 deny ip  from ::1 to any in via $pif

#ICMP
$cmd 06010 allow ipv6-icmp from :: to  ff02::/16
$cmd 06020 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 06030 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 06040 allow ipv6-icmp from any to any icmp6types 1,2,135,136

# Deny fragments
$cmd 07010 deny all from any        to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 07020 deny tcp from any to any established in via $pif

# Allow incoming access from localnet
#$cmd X allow tcp from 192.168.1.0/24 to any in via $pif setup keep-state
#$cmd X allow udp from 192.168.1.0/24 to any in via $pif keep-state

$cmd 08010 reject log all from any to any
$cmd 08020 deny   log all from any to any
/sbin/ipfw list

 

[Харбин Хэйлунцзян]

Note my config this for ALL applications, it could give an idea,

I do not need that. The handbook has enough of that and my ipfw is configured to my heart's content.

I guess my English is not perfect but I cannot explain my need any better than I have already done in the original posting.

 

[atax1a]

From my program I need to block IP addresses from which I detect suspicious activity. At this time I am contemplating adding rules to the firewall - I have ipfw installed. What is the best way to accomplish that if it is a correct way to do what I need? Is there a better approach to that?

so, you have a program that gets, say, login requests, and you want to firewall off users who make too many bad requests in a timespan?

you can use the Blocklist functions — https://man.freebsd.org/cgi/man.cgi...th=FreeBSD+15.0-RELEASE+and+Ports&format=html

we do this in an http service with some tricky rules to block web scrapers: https://fossil.se30.xyz/ratrap

 

[Alain De Vos]

Explain your program. What is it doing ? Activity ? Server ? Public on internet ? Or behind firewall ? If needed we use "google translate"

 

[Харбин Хэйлунцзян]

you can use the Blocklist functions — https://man.freebsd.org/cgi/man.cgi...th=FreeBSD+15.0-RELEASE+and+Ports&format=html

I didn't know about this service. Will have to try and learn about it.

we do this in an http service with some tricky rules to block web scrapers: https://fossil.se30.xyz/ratrap

Mine is a http service too. Thanks.

 

[atax1a]

I didn't know about this service. Will have to try and learn about it.



Mine is a http service too. Thanks.

the problem with HTTP services is that unless you're a module in the webserver, you don't have the actual client socket, so you have to do some tricks to get blocklist_sa_r to play nice, and then you also have to make the rules line up. our ratrap service does all that but we did it in ocaml. :T

 

[Харбин Хэйлунцзян]

the problem with HTTP services is that unless you're a module in the webserver, you don't have the actual client socket

I do not understand that. I listen(2) on port 80 and accept(2) an incoming connection. What could be wrong with the socket I get?

 

[atax1a]

I do not understand that. I listen(2) on port 80 and accept(2) an incoming connection. What could be wrong with the socket I get?

oh in that case then you're in a situation where you do have the direct client socket. in my situation there were proxies involved, hence the indirection. you should be able to just use the blocklist functions directly.

 

[freebsd_lg]

Run the program as a separate user name and use ipfw with uid control.
man su
man ipfw
some like this
su - user -c "your_program"
ipfw add allow all from any to any uid user

 

[SirDice]

I listen(2) on port 80 and accept(2) an incoming connection.

So it's something you coded yourself? Add libblocklist(3) functions, then you can let blocklistd(8) add those rules dynamically.

 

[vslash]

What he want is something like littlesnitch on Mac/OS, ie a per app fw. IMHO, the only way to do this on FreeBSD is to use many UID as needed, and launch apps with their own uid like freebsd_lg said above. Dont know other way to do that. And yes, it's sometimes very useful.

 

[rootbert]

you could also launch that software in a jail, and restrict the network of that jail by implementing firewall rules on the host

 

[atax1a]

you could also launch that software in a jail, and restrict the network of that jail by implementing firewall rules on the host

this does not solve the problem at hand, which was how to dynamically adjust the rules in response to suspicious activity from clients. this is the purpose of the blocklistd service as recommended upthread.