{"id":267,"date":"2005-02-28T22:02:21","date_gmt":"2005-02-28T21:02:21","guid":{"rendered":"http:\/\/wp.devco.net\/?p=267"},"modified":"2009-10-09T17:08:06","modified_gmt":"2009-10-09T16:08:06","slug":"ipfw_tables","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2005\/02\/28\/ipfw_tables.php","title":{"rendered":"ipfw tables"},"content":{"rendered":"<p><a href=\"http:\/\/www.freebsd.org\/\">FreeBSD<\/a> has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule.<br \/>\nI use these on my <a href=\"http:\/\/www.devco.net\/archives\/2004\/08\/11\/more_country_blocking.php\">country blocking<\/a> to optimize things a bit.<br \/>\nPreviously I put a large block of <i>ipfw deny<\/i>&#8216;s very early up in my rule set and just block it all on everything.  This was not optimal since for some IP&#8217;s I&#8217;d like to keep certain ports open &#8211; like port 80.  I did not want to have per host block lists since that would mean hosts x 3000 rules.  Lookup tables are the answer.<br \/>\nMy current setup goes more or less like this:<\/p>\n<ul>\n<li>General counter rules per jail<\/li>\n<li>Denies on frequently scanned ports like 1433 &#8211; without logging<\/li>\n<li>Blocks of rules per host &#8211; allow TCP, allow UDP, deny TCP, deny UDP, deny ICMP\n<\/ul>\n<p>I am now amending the per host block by adding a single rule above the deny rules that kills off all the traffic from the dodgy countries &#8211; without logging it &#8211; then I have denies with logging.  This keeps my logs reasonably empty of IPFW DENY log entries so I can monitor them easily.<br \/>\nI first create the table, each table is numbered I just chose 1 for my table.<\/p>\n<blockquote><p>\nipfw -q table 1 add 220.228.0.0\/15<br \/>\nipfw -q table 1 add 220.232.64.0\/18<br \/>\nipfw -q table 1 add 220.232.128.0\/17\n<\/p><\/blockquote>\n<p>I then simply have to add a single rule for each host which in effect is the equivelant of duplicating all 3000 rules I previously had on a per host basis.  Now I can have my port 80&#8217;s etc open and still kill off the dodgy traffic without polluting my logs.  Perfect.<br \/>\nA sample table rule:<\/p>\n<blockquote><p>\nipfw add 21999 set 15 deny ip from &#8220;table(1)&#8221; to 1.2.3.4\n<\/p><\/blockquote>\n<p>The quotes around the <i>table(1)<\/i> are very important since the shell you run the command under may cause havoc with the ()&#8217;s.  You could alternatively escape the ()&#8217;s, example: <i>table\\(1\\)<\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FreeBSD has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule. I use these on my country blocking to optimize things a bit. Previously I put a large block of ipfw deny&#8216;s very early up in my rule set and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[5],"tags":[62,26,63,33],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/267"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=267"}],"version-history":[{"count":1,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/267\/revisions"}],"predecessor-version":[{"id":705,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/267\/revisions\/705"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}