Select Page
NOTE: This is a static archive of an old blog, no interactions like search or categories are current.

FreeBSD has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule.
I use these on my country blocking to optimize things a bit.
Previously I put a large block of ipfw deny‘s very early up in my rule set and just block it all on everything. This was not optimal since for some IP’s I’d like to keep certain ports open – like port 80. I did not want to have per host block lists since that would mean hosts x 3000 rules. Lookup tables are the answer.
My current setup goes more or less like this:

  • General counter rules per jail
  • Denies on frequently scanned ports like 1433 – without logging
  • Blocks of rules per host – allow TCP, allow UDP, deny TCP, deny UDP, deny ICMP

I am now amending the per host block by adding a single rule above the deny rules that kills off all the traffic from the dodgy countries – without logging it – then I have denies with logging. This keeps my logs reasonably empty of IPFW DENY log entries so I can monitor them easily.
I first create the table, each table is numbered I just chose 1 for my table.

ipfw -q table 1 add 220.228.0.0/15
ipfw -q table 1 add 220.232.64.0/18
ipfw -q table 1 add 220.232.128.0/17

I then simply have to add a single rule for each host which in effect is the equivelant of duplicating all 3000 rules I previously had on a per host basis. Now I can have my port 80’s etc open and still kill off the dodgy traffic without polluting my logs. Perfect.
A sample table rule:

ipfw add 21999 set 15 deny ip from “table(1)” to 1.2.3.4

The quotes around the table(1) are very important since the shell you run the command under may cause havoc with the ()’s. You could alternatively escape the ()’s, example: table\(1\)