Skip to content. | Skip to navigation

Personal tools

Navigation

You are here: Home / Notes / FreeBSD IPFW - block ip or subnet.

FreeBSD IPFW - block ip or subnet.

Using command line.
Show current state:
ipwf list
Add IP's to table 1 from file:
ipfw table 1 flush
cat list.txt | xargs ipfw table 1 add

or

ipfw table 1 add 10.0.0.5		#add to table
ipfw table 1 add 10.0.0.0/8	#add subnet
ipfw table 1 list			#show table content
ipfw add deny ip from table\(10\) to me # deny from table 10 to local adresses
ipfw table 10 delete 10.0.0.10	#delete from table
ipfw table 10 flush			#flush table

add IP's from file:

Edit file ~/ipfw_add_list.sh

#!/bin/sh
ipfw table 10 flush
cat ~/ip_banlist.txt | while read ip; do
  ipfw table 10 add $ip
done

# cat ~/ip_banlist.txt

10.0.0.1
10.0.0.2
10.0.0.3
192.168.1.9

execute script:

# sh ~/ipfw_add_list.sh

 Persistent rules.

# add to /etc.rc.con
firewall_enable="YES"
firewall_script=/usr/local/etc/ipfw.rules
# edit and save /usr/local/etc/ipfw.rules
IPF="ipfw -q add"
ipfw -q -f flush

# deny from table 10
$IPF 1 deny ip from table\(10\) to me

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag


# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# allow SSH
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out

# allow FTP
$IPF 200 allow tcp from any to any 21 setup keep-state
$IPF 210 allow tcp from any to any 20 setup keep-state
$IPF 230 allow tcp from any to any 30000-50000 setup keep-state

# alow HTTP
$IPF 250 allow tcp from any to any 80 in
$IPF 260 allow tcp from any to any 80 out
$IPF 270 allow tcp from any to any 443 in
$IPF 280 allow tcp from any to any 443 out

# deny and log everything
$IPF 900 deny log all from any to any