From: Giorgos Keramidas (keramidalinux.gr)
Date: Mon Nov 22 2004 - 05:27:50 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2004-11-21 13:16, Ciprian BADESCU <cbadescuaspc.cs.utt.ro> wrote:
> > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:
> >> I have a grown list of IPs that I am "deny ip from ###.### to any".
> >> Infected machines, hackers, etc..
> >>
> >> Is there a way to have this list outside of rc.firewall and just
> >> read it in?
>
> from man ipfw
>
> LOOKUP TABLES
> Lookup tables are useful to handle large sparse address sets, typically
> from a hundred to several thousands of entries. There could be 128
> different lookup tables, numbered 0 to 127.
> [...] here is an example: [...]
> To set the table you could use a file /etc/badboys
> and a short shell script executed before the table denying rules:
> for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done;

If the table is going to grow at least a few thousand entries you
might hit the command line length limit. Try something like this
instead:

        while read ipaddr ;do
                ${fwcmd} table 0 add "${ipaddr}"
        done < /etc/badhosts

Getting the lines one by one can be bit slow but it's more flexible.
Another good idea may be to use a custom awk script to parse the
badhosts file and ``generate'' sh(1) code that is run to populate the
table:

        badtable=0
        fwcmcd="ipfw -q"

        awk -v fwcmd="${fwcmd}" -v tab="${badtable}" \
            '! /^[ ]*#/ {
            printf "%s table %d add %s", fwcmd, tab, $1 }' | sh

This is probably going to be a bit faster than while read ...

- Giorgos

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]