including exec files in /etc/rc.firewall

[slackbare]

Hello everyone I'm just curious I want to include a file in rc.firewall for example international.ban. Basically I want to add a ban file with a series of netdir blocks so

#!/bin/sh

BANS=`sh /etc/international.ban`

exec $BAN;
ipfw -q flush

# IPv4
ipfw add 500 divert natd all from any to any via tun0
ipfw add 1000 allow ip from any to any via lo0
ipfw add 65000 allow ip from any to any
ipfw add 65535 deny ip from any to any

# Denied ports to all systems.
ipfw add 04964 deny tcp from any to any 22 in via tun0 setup keep-state

I dont use ipv6 with ipfw I use ip6fw which is adjusted corectly

But just for clarification does this look correct? I would test it but I would have to reboot the whole router because it's on kernel secure level is high. So I want this to be a few sec downtime.

Of course the `sh /etc/international` looks like this

# China's Block ranges
ipfw add 100 drop ip from 58.14.0.0/15 to any
ipfw add 100 drop ip from 58.16.0.0/16 to any 
ipfw add 100 drop ip from 58.17.0.0/17 to any
ipfw add 100 drop ip from 58.17.128.0/17 to any
ipfw add 100 drop ip from 58.18.0.0/16 to any
ipfw add 100 drop ip from 58.19.0.0/16 to any
ipfw add 100 drop ip from 58.20.0.0/16 to any
ipfw add 100 drop ip from 58.21.0.0/16 to any
ipfw add 100 drop ip from 58.22.0.0/15 to any
ipfw add 100 drop ip from 58.24.0.0/15 to any
ipfw add 100 drop ip from 58.30.0.0/15 to any
ipfw add 100 drop ip from 58.32.0.0/13 to any
ipfw add 100 drop ip from 58.40.0.0/15 to any
ipfw add 100 drop ip from 58.42.0.0/16 to any
ipfw add 100 drop ip from 58.43.0.0/16 to any
ipfw add 100 drop ip from 58.44.0.0/14 to any
ipfw add 100 drop ip from 58.48.0.0/13 to any
ipfw add 100 drop ip from 58.56.0.0/15 to any
ipfw add 100 drop ip from 58.58.0.0/16 to any
ipfw add 100 drop ip from 58.59.0.0/17 to any

Of course this list is longer right now it's in /etc/rc.firewall
but I want it on a different file so rc.firewall can just hold the principle rules and another file (I.E international.band) can hold just bans from different countries.

If this is correct or if you see anything wrong please correct me.

Thank you

 

[Alt]

Better use tables:
# ipfw table 1 add 58.59.0.0/17
and
# ipfw add 100 deny "table(1)" to any

 

[phoenix]

Two options:

• use a separate file with individual IPFW rules, and then just source that file into the main rules script: . /path/to/file
• use a separate file that configures a table, with a rule to block traffic from that table, sourced into the main rules script

You don't need to execute the script, just source it into the running script.

Change the following:

#!/bin/sh

BANS=`sh /etc/international.ban`

exec $BAN;
ipfw -q flush

into:

#!/bin/sh

ipfw -fq flush

. /etc/international.ban

And in your international.ban file, have either:

ipfw 100 deny ip from 1.2.3.4 to any in recv <pub nic>

Or, better yet:

ipfw table 1 flush

ipfw table 1 add 1.2.3.0/24
ipfw table 1 add 2.3.0.0/16

ipfw 100 deny ip from table(1) to any in recv <pub nic>

Using tables, you can update the table without reloading all your rules. Just edit the international.ban file, to make it permanent, and then update the table from the command-line: # ipfw table 1 add 3.4.5.6

 

[bsdfunn]

It is possible using tables to block specifik port ?
I try this rules,but without any success.

 cmd="ipfw -q"

 $cmd table 1 flush
 $cmd table 1 add 1.2.3.0/24
 $cmd table 1 add 1.2.4.0/24
 $cmd table 1 add 1.2.5.0/24


 $cmd add deny log ip from table(1) to any dst-port 25

 

[phoenix]

"IP" doesn't use ports. UDP and TCP do. Thus:

$cmd add deny log [b]tcp[/b] from table(1) to any 25

 

[Alt]

Afaik you can set IP rule with port too, it will match tcp/udp

 

[phoenix]

Not according to the man page (at least on FreeBSD 7.0).

IP doesn't have a concept of ports, just src and dest IPs.

To match udp and tcp, you use { tcp or udp } for the protocol: # ipfw add allow { tcp or udp } from me to any 53 out xmit fxp0