IP Filter – using rule groups for blocking IP blocks

IP Filter – using rule groups for blocking IP blocks

This article discusses my strategy for using rule groups for blocking IP blocks on the
fly.  For more information on how rule groups work, please read the documents
found at http://www.obfuscation.org/ipf/

The background

Today I was trying to find a way to block specific IP addresses or block on the fly
for short term purposes.  Perhaps someone is attacking your site or there is a rogue
mail server you want to block until it can be fixed.  If I decide to block long term,
I’ll move the rules into /etc/ipf.conf.

At first I tried doing something like
this:

echo "block in quick from 1.2.3.6/32 to any group 100" | ipf -f -

This will add the above rule to the end of the list for group 100.  However, that
will be ineffective if you have any "pass in quick" rule, which I
did.  So I needed a way to add blocking rules in before any other rules.

The idea – add another rule group

I came up with the idea of a adding another rule group to do nothing but block.  
All rules in this group will deal only with blocking.   That will allow me to
insert blocking rules further up in the rule tree which rules further down will never see
because of the "block in quick".

The rule group changes

I run a dual homed host (i.e. a box with two network cards; one goes to my ISP, the
other goes to my LAN, see topology).  So the start of my
rules looks like this:

block in  log on ed0 all head 100
block out log on ed0 all head 150

block in  log on ed1 all head 200
block out log on ed1 all head 250

I decided to change my groups to be like this:

block in  log on ed0 all head 10
                                                    
#
# if under attack, block here in group 10 (and possibly 15)
#
                                                    
block in  log on ed0 all head 100 group 10
block out log on ed0 all head 150

block in  log on ed1 all head 200
block out log on ed1 all head 250

As you can see, I added a new rule group (10) and put group 100 under that group.
  With my normal rule set (/etc/ipf.conf), I don’t have any rules in group
10.  I use that group only for my short-term blocking.

The script

Now I can use this little script to add an IP address or a rang

#!/bin/sh
echo "block in quick from $1 to any group 10" | ipf $2 -f - 

Remember to chmod the script to 770.

Now I can block a specific IP address with this simple command:

./blockrange.sh 1.2.3.6

I can also block a class C address with this:

./blockrange.sh 1.2.3.6/24

You can also remove a block with this:

./blockrange.sh 1.2.3.6/24 -r

What’s next?

I have no idea.  I was toying with the idea of keeping a list of rules added
using this script.  This would serve two purposes.

  1. The list could be used to clear out the rules which have been added.
  2. If necessary, you could use the list to copy/paste into /etc/ipf.conf if you decide to
    make the blocks permanent.

Offhand, this sounds like the beginnings of a good little port.

Leave a Comment

Scroll to Top