>Number: 176344
>Category: misc
>Synopsis: Add support for firewall deny lists (workstation type)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 22 10:10:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Noor Dawod
>Release: 9.1-PRERELEASE Wed Nov 21 UTC 2012
>Organization:
>Environment:
FreeBSD hidden 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Wed Nov 21 08:36:35
UTC 2012 root@hidden:/usr/obj/usr/src/sys/CUSTOM amd64
>Description:
ipfw has a handly configuration section in rc.conf to ease firewalling. In the
'workstation' type, however, there is a way to allow full access for selected
clients, but no way for denying it for others.
The attached patches would add that support. Since lists of IP's could grow
big, I've opted to using files to host the list of addresses, as opposed to
writing the list in rc.conf.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- /etc/defaults/rc.conf 2013-02-22 09:37:36.000000000 +0000
+++ /etc/defaults/rc.conf-new 2013-02-22 09:37:44.000000000 +0000
@@ -153,6 +153,11 @@
# firewall.
firewall_trusted="" # List of IPs which have full access to this
# host for "workstation" firewall.
+firewall_denied="" # List of files containing IPv4 and/or IPv6
+ # addresses that have no access to this host.
+firewall_denied_rule="550" # ipfw rule number used to host all rules
+ # denying access to hosts listed in the files
+ # in $firewall_denied.
firewall_logdeny="NO" # Set to YES to log default denied incoming
# packets for "workstation" firewall.
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
--- /etc/rc.firewall 2012-11-21 09:08:57.000000000 +0000
+++ /etc/rc.firewall-new 2013-02-22 09:40:30.000000000 +0000
@@ -433,6 +433,12 @@
# This option can seriously degrade
# the level of protection provided by
# the firewall.
+ # firewall_denied: List of files containing IPv4 and/or
+ # IPv6 addresses that have no access
+ # to this host.
+ # firewall_denied_rule: ipfw rule number used to host all
+ # rules denying access to hosts listed
+ # in the files in $firewall_denied.
# firewall_logdeny: Boolean (YES/NO) specifying if the
# default denied packets should be
# logged (in /var/log/security).
@@ -498,6 +504,31 @@
${fwcmd} add pass ip from $i to me
done
+ # If specified, deny hosts from reaching this machine.
+ for i in ${firewall_denied} ; do
+ # check that file exists first.
+ if [ -f $i ]; then
+ oldIFS=$IFS
+ IFS="
+"
+ # Go over all IPs listed in the file.
+ for ip in `cat $i` ; do
+ # Block IP if first character isn't a dash.
+ i=${ip%${ip#?}}
+ if [ $i != "#" ]; then
+ # Cut string when first space is found.
+ # Practical for Postfix files and
geographic
+ # CIDR's obtained from online sources.
+ ip=`echo $ip | cut -d " " -f 1`
+
+ # Add block rule for target IP.
+ ${fwcmd} add ${firewall_denied_rule}
deny ip from $ip to me
+ fi
+ done
+ IFS=$oldIFS
+ fi
+ done
+
${fwcmd} add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
