how to make ipfw table?

congavangkiev

Member


Messages: 28

how to make ipfw table?
in pf.conf:
Code:
table <unlimit> persist file "/etc/unlimit"
nat on $ext_if from <unlimit> to any -> a.b.c.d
and in ipfw how i can?
may be help me!
thank you!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,190
Messages: 29,499

I don't use ipfw but had a quick look at the manpage.

It looks like you will need to write a small script that reads /etc/unlimit and executes something like ipwf table 1 add $line for each line in the file.

Since there's no provisioning for persist you would also need to write a little script that will dump the table and write it to /etc/unlimit.

See ipfw(8)


It's probably simpler to keep using pf :e
 
OP
OP
C

congavangkiev

Member


Messages: 28

i think this is number ( table 1)
code:
Code:
ipfw -q table 1 add 220.228.0.0/15
ipfw add 21999 set 15 deny ip from "table(1)" to 1.2.3.4
but i want file ( table )
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,224
Messages: 4,074

In your firewall script, do something like:
Code:
# Populate the table with IPs/subnets
ipfw table 1 add 1.2.3.4
ipfw table 1 add 1.2.3.5
ipfw table 1 add 1.2.3.6

# Use the table in the rules
ipfw divert natd ip from 'table(1)' to any
Change the last line to work with whichever NAT setup you want (via natd or ipfw nat rules).
 
OP
OP
C

congavangkiev

Member


Messages: 28

thank you.
I have list ip in country ( have many ip ).i want open port 80 for ip in my country and deny ip from international.
how i can?
code:
Code:
ipfw table 1 add 1.2.3.4
ipfw table 1 add 1.2.3.7
ipfw table 1 add 1.2.3.9
....................
if have 10000 ip how much i write?
thank you answer!
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,224
Messages: 4,074

You can also add subnets:
Code:
ipfw table 1 add 1.2.3.0/24
That will add all the IPs fro 1.2.3.1 through 1.2.3.255.
 
OP
OP
C

congavangkiev

Member


Messages: 28

but this is have very much ip.
ip A.B.C.1/24
a.b1.c1.1/24
a.b2.c2.1/24
.......
i have list ip ( txt )
i want
Code:
ipfw table 1 add list.txt
but i don't know?
may be help me?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,775
Messages: 11,279

Tables read from files are not a feature of ipfw.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,775
Messages: 11,279

You could, however, do something like this:

Code:
ipfw table 1 flush
cat list.txt | xargs ipfw table 1 add
Assuming that the entries in list.txt are in the correct format.
 

lissyara

Member

Reaction score: 5
Messages: 41

DutchDaemon said:
Tables read from files are not a feature of ipfw.
is there any plans to implement such opportunities?
for large files (we have 60k lines) it's very slow
 

ProFTP

Active Member

Reaction score: 8
Messages: 137

but, it's not good - very askance
???

Code:
#!/usr/bin/perl

# use File::Pid;
# my $pidfile = File::Pid->new( { file => '/var/run/x0.pid', } );
# my $pid = $pidfile->running;
# die "Service already running: $pid\n" if $pid;
# $pidfile->write;
# # You can uncomment this to script
# # At the same time does not start again

#my $spam = get("http://www.stopforumspam.com/downloads/bannedips.zip");

# system("ipfw table 1 flush > /dev/null &") if (defined $spam);

system("wget http://www.stopforumspam.com/downloads/bannedips.zip");

# use Archive::Zip;
# my $zip = Archive::Zip->new("bannedips.zip"); 
# $zip->extractTree(); 

system("/usr/local/bin/unzip bannedips.zip");

open( IPB, "bannedips.csv" );
$/ = '';    # Enable reading paragraphs
my $spam = <IPB>;
close IPB;

system("rm bannedips.csv");
system("rm bannedips.zip");

open( IP, "ipfw table 1 list |" );
$/ = '';   # Enable reading paragraphs
my $use_ip = <IP>;
close IP;

#####################
# IP которые уже присутствуют в таблице не удаляются
# а добавляются новые тех которых нету
# IP which are already present in the table are not removed
# And add new those who no
my %seen;
@seen{ return_ip($spam) } = ();
delete @seen{ return_ip($use_ip) };


foreach ( keys %seen ) {
    print $_;
    system( "exec ipfw table 1 add " . $_ );
}

sub return_ip {

    my $hash;
    $hash->{$1}++
      while $_[0] =~ /(\d+\.\d+\.\d+\.\d+)/smg xor 
          grep { $_ > 255 } split /\./,
        $1;
    return keys %$hash;

}

# $pidfile->remove;
# # You can uncomment this to script
# # At the same time does not start again

exit;
 
Top