[Firehol-support] very long blacklist

Costa Tsaousis costa at tsaousis.gr
Thu Apr 15 22:54:18 BST 2004 

Bernhard,

bellow is a reply to a similar problem.

Costa


---

> I would like to build a short term blacklisting system and I wonder if
> I could do this using Firehol.  I all ready  use Firehol and love it.
> What I would like to do is watch my mail log and when I detect a batch
> of spam coming from a server put that IP address on a blackhole list
> for a week or so.
>
> This would require Firehol pick up this list from a generated file and
> that I have a way to start and commit the firewall automatically each
> time an address is added or removed.
>
> Any idea if this would work and approximately how to go about the
> Firehol aspects?

FireHOL has a blacklist helper. You can make it read a file like this:

blacklist these `cat /path/to/generated/file`

The file: /path/to/generated/file should contain something like :

10.0.0.0
192.168.1.0/24
192.168.2.0/255.255.255.0

etc.
Any of the above forms is valid. Make sure there is at least an IP in
the file, or FireHOL will break.

Then you just need to restart FireHOL when you want it to activate all
changes made to the file (from the crontab probably).

The program that will generate the external file with the IPs controls
everything:

- as long as an IP is in the file, FireHOL will block it.
- when an IP is removed, then the next FireHOL restart will allow it.

If I was you, I would prefer to do this outside FireHOL but the way
FireHOL expects it. For example, add a blacklist rule to your
firehol.conf file with an IP that you don't care to be blacklisted:

blacklist these 255.255.255.255

The above will force FireHOL to create all the structures necessary for
blacklisting hosts. Start FireHOL and forget about it.

Then, write a small script to block and another one to unblock a host.
The block script is this:

#!/bin/sh
# USAGE: block.sh IP
/sbin/iptables -I INPUT -s $1 -j BL_IN_UNI
/sbin/iptables -I FORWARD -s $1 -j BL_IN_UNI

The second line is needed only if you are routing the traffic.

The unblock script is this:

#!/bin/sh
# USAGE: unblock.sh IP
/sbin/iptables -D INPUT -s $1 -j BL_IN_UNI
/sbin/iptables -D FORWARD -s $1 -j BL_IN_UNI

Then, call block.sh or unblock.sh to block and unblock IPs as needed.
Note that the only difference between block.sh and unblock.sh is that
block.sh is using -I and unblock.sh is using -D. Everything else must be
exactly the same.

Also, if you block a host twice, you will have to unblock it twice too.

Note, that using this method will allow you NOT to restart the firewall
for blocking and unblocking, but if and when you restart the firewall
all the hosts that were blocked will be unblocked.

Costa

---
> If I understand what you are saying...
>
> To block and unblock IP addresses for short periods of time, it's
> easier to use the scripts you wrote than to modify the firewall.  I 
> think you are right.  Modifying a perfectly good firewall for temporay
> changes seems overkill.  Also, I start and stop the firewall so 
> rarely, that if I lose the addresses I am blocking temporarily I 
> wouldn't care.  They will get blocked again soon enough. :(
>
> Thanks for provding these scripts.  I could not have written them
> myself, but I can and will use them.
>
> One more question.  I am using version 1.20 of FireHol.  Is it a good
> idea to upgrade?

use the lastest CVS version: http://firehol.sf.net/firehol.tar.gz
It is by far the best FireHOL ever (much better than 1.120) and it is
stable too.

Also, I don't think 1.120 supports blacklists...

Costa

---

> thanks.  I will upgrade.
>
> One last question...  (I promise) what is BL_IN_UNI.

if you you run:

# firehol.sh explain

and then give to the prompt:

blacklist these 255.255.255.255

It shows that it creates an iptables chain with the name BL_IN_UNI (i.e.
BlackList INput UNIdirectional). It is just a name I have chosen to
remember what this internal chain is for and which I believe will be
hard to overlap some user specified chain.

Costa



On Πεμ, 2004-04-15 at 17:31, Bernhard J. M. Gruen wrote:
> Hi,
> 
> First: I use firehol for about 1 year now and I think it is very good!
> I want to load and use a very long blacklist (about 6000 ip ranges) but 
> it take too long to load. Can I speed up this process somehow? (At the 
> moment every entry is on a single line (blacklist full IP/MASK))
> Another problem is that you have to restart the whole firewall script if 
> you only want to add/change/delete one rule (e. g. blacklist entry). 
> Wouldn't it be possible to support something like reconfiguring a 
> already loaded firewall? With this you can use your system/network 
> before every blacklist entry is processed.
> 
> 
> Bernhard from Germany

More information about the Firehol-support mailing list