IP Filter – using rule groups for blocking IP blocksThis article discusses my strategy for using rule groups for blocking IP blocks on the fly. For more information on how rule groups work, please read the documents found at http://www.obfuscation.org/ipf/
The backgroundToday I was trying to find a way to block specific IP addresses or block on the fly for short term purposes. Perhaps someone is attacking your site or there is a rogue mail server you want to block until it can be fixed. If I decide to block long term, I’ll move the rules into /etc/ipf.conf.
At first I tried doing something like this:
echo "block in quick from 188.8.131.52/32 to any group 100" | ipf -f -
This will add the above rule to the end of the list for group 100. However, that will be ineffective if you have any "pass in quick" rule, which I did. So I needed a way to add blocking rules in before any other rules.
The idea – add another rule groupI came up with the idea of a adding another rule group to do nothing but block. All rules in this group will deal only with blocking. That will allow me to insert blocking rules further up in the rule tree which rules further down will never see because of the "block in quick".
The rule group changesI run a dual homed host (i.e. a box with two network cards; one goes to my ISP, the other goes to my LAN, see topology). So the start of my rules looks like this:
block in log on ed0 all head 100 block out log on ed0 all head 150 block in log on ed1 all head 200 block out log on ed1 all head 250
I decided to change my groups to be like this:
block in log on ed0 all head 10 # # if under attack, block here in group 10 (and possibly 15) # block in log on ed0 all head 100 group 10 block out log on ed0 all head 150 block in log on ed1 all head 200 block out log on ed1 all head 250
As you can see, I added a new rule group (10) and put group 100 under that group. With my normal rule set (/etc/ipf.conf), I don’t have any rules in group 10. I use that group only for my short-term blocking.
The scriptNow I can use this little script to add an IP address or a rang
#!/bin/sh echo "block in quick from $1 to any group 10" | ipf $2 -f -
Remember to chmod the script to 770.
Now I can block a specific IP address with this simple command:
I can also block a class C address with this:
You can also remove a block with this:
./blockrange.sh 184.108.40.206/24 -r
What’s next?I have no idea. I was toying with the idea of keeping a list of rules added using this script. This would serve two purposes.
- The list could be used to clear out the rules which have been added.
- If necessary, you could use the list to copy/paste into /etc/ipf.conf if you decide to make the blocks permanent.
Offhand, this sounds like the beginnings of a good little port.