[Firehol-support] DNS-based blacklisting

Costa Tsaousis costa at tsaousis.gr
Sat Sep 11 11:55:20 CEST 2004 

Daniel,

there is the blacklist helper that does this job.

Use it like this:

blacklist these a.ip another.ip ...

This will stop only NEW connections from these IPs. Established
connections will not be blocked. To stop all traffic use:

blacklist full a.ip another.ip ...

You can get the list of IPs from an external file like this:

blacklist these `cat /path/to/file/with/one/ip/per/line`

You can also add or remove IPs from a running firewall without restarting
FireHOL. To do this, add to your config these two lines:

blacklist these 255.255.255.255
blacklist full 255.255.255.255

Replace 255.255.255.255 with an IP you don't care to blacklist. We need an
IP here just for FireHOL to create its iptables structures for
blacklisting.

Then use the following scripts to manipulate the list of IPs during runtime.

a) To block/unblock only NEW connections use:

--- block-new.sh ---
#!/bin/sh
# USAGE: block-new.sh IP
/sbin/iptables -I INPUT -s $1 -j BL_IN_UNI
/sbin/iptables -I FORWARD -s $1 -j BL_IN_UNI

--- unblock-new.sh ---
#!/bin/sh
# USAGE: unblock-new.sh IP
/sbin/iptables -D INPUT -s $1 -j BL_IN_UNI
/sbin/iptables -D FORWARD -s $1 -j BL_IN_UNI


b) To block/unblock all traffic from/to IPs use:

--- block-all.sh ---
#!/bin/sh
# USAGE: block-all.sh IP
/sbin/iptables -I INPUT -s $1 -j BL_IN_BI
/sbin/iptables -I FORWARD -s $1 -j BL_IN_BI
/sbin/iptables -I OUTPUT -d $1 -j BL_OUT_BI
/sbin/iptables -I FORWARD -d $1 -j BL_OUT_BI

--- unblock-new.sh ---
#!/bin/sh
# USAGE: unblock-all.sh IP
/sbin/iptables -D INPUT -s $1 -j BL_IN_BI
/sbin/iptables -D FORWARD -s $1 -j BL_IN_BI
/sbin/iptables -D OUTPUT -s $1 -j BL_OUT_BI
/sbin/iptables -D FORWARD -d $1 -j BL_OUT_BI


Costa


> What about just defining a simple (though possibly long) list of
> external IP's to block?  Is there an easy way to do that?
>
>>Hi Daniel,
>>
>>It is not possible (and at least not wise) for a firewall to have dynamic
>>actions based on external things, such as DNS, that will be queried in
>>real time for making a decision. Such dynamic actions should and are
>>implemented at an application level, like your mail server.
>>
>>Costa
>>
>>
>>
>>>I'm probably messing with something I shouldn't be here - but is there a
>>>way to have rejections based on a dynamic real-time blacklist (DNS
>>>lookup)?
>>>
>>>As an example - I may have a RBL I maintain for blocking e-mail
>>>spammers.  As I have no earthly reason to accept connections of any kind
>>>from these locations - I'm curious if I can block them at an IP level -
>>>before they ever reach my mail server.
>>>
>>>Daniel
>>>
>>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>

More information about the Firehol-support mailing list