[IPFW] How to do a permanent jail IP?

[energetik]

Hi, I'm using

${fwcmd} add 001 deny ip from table\(1\) to me

for make a jail of IP (Bann) [ What? -- Mod. ] but, the table resets every reboot of the server, so my question is this: is it possible to make for example an ipbanned.txt and add an IP to it to permanently ban this IP with an IPFW rule like the one I've posted?

Thanks in advance.

 

[nanotek]

Not sure about IPFW because I use PF. The requirements, however, are the same.

1. Make IPFW use <file> for <table>
2. Make cronjobs:
   +- -- instructing IPFW to write <table> to <file> every x minutes
   +- -- instructing IPFW to reload the file at reboot
   +- -- instructing IPFW to expire table entries every x days

If using PF, you can do the above with the following:

1. Add entry to /etc/pf.conf:
   

   table <banned> counters persist file "/var/db/pf/banned.table"

2. Edit /etc/crontab (or use crontab -e if you prefer) to create desired jobs:
   

   0/5     *       *       *       *       root    pfctl -t banned -T show > /var/db/pf/banned.table 2>/dev/null
   @reboot *       *       *       *       root    pfctl -t banned -Tr -f /var/db/pf/banned.table
   @daily  *       *       *       *       root    pfctl -t banned -Te 259200

 

[qsecofr]

Using ipfw, try something like:

# IPs i want to block
exec < /etc/rc.ipfw_blocked_ip.txt
while read ip
do
        $ipfw -q table 2 add $ip
done

$ipfw -q add deny ip from table\(2\) to any in via $oif