HowTo

On-demand IPFW Firewall script for FreeBSD

The following script is an example of how you can load the FreeBSD IPFW firewall without recompiling your kernel. I like to use this script to block China, Russia, Iran, etc. In this example, we run the script to block China. You could call this script from a monitoring script like DAV-BLACK.pl or SSH Monitor to block an entire country over one bad apple :-)

 

#!/usr/local/bin/bash 

# Simple on-demand IPFW script by Chris Updegrove

# run this script on-demand

# This script works for boxes that don't have the kernel compiled for IPFW

#  

#

# Start by loading the firewall kernel module allowing all/any to avoid lock-out

# this option is still secure because IPFW enforces the first match

# the rules below will load next and get enforced before rule 65534

/sbin/kldload ipfw && ipfw add 65534 allow all from any to any

#

# Start with some variables to make modification easy

# Make sure your rule number is a lower number than the rule numbers that allow traffic.

fwcmd=/sbin/ipfw

action=deny

proto=all

rule=00900

#

# set these to your network and netmask and ip

net="10.1.10.0"

mask="255.255.255.0"

ip="10.1.10.253"

#

# Basic rules go here

${fwcmd} add 00100 allow ip from any to any via lo0

${fwcmd} add 00200 deny ip from any to 127.0.0.0/8

${fwcmd} add 00300 deny ip from 127.0.0.0/8 to any

# Allow traffic to and from same subnet

${fwcmd} add 00400 allow all from ${ip} to ${net}

${fwcmd} add 00500 allow all from ${net} to ${net}

# Allow this box to go out to the Interwebs

${fwcmd} add 00600 allow all from ${ip} to ${any}

#

# Add rules for blocking china, russia, etc here

# Put your other rules allowing traffic like GRE, PPTP and SSH access at the end 

#

# BLOCK CHINA

echo blocking CHINA

${fwcmd} add ${rule} ${action} log ${proto} from 58.14.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.16.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.24.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.30.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.32.0.0/11 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.66.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.82.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.87.64.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.100.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.116.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.128.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.144.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.192.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.196.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.200.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.208.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 58.240.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.32.0.0/11 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.64.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.80.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.107.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.108.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.151.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.191.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 59.192.0.0/10 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.0.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.8.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.12.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.13.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.13.128.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.14.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.16.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.55.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.63.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.160.0.0/11 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.194.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.200.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.204.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.208.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.232.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 60.255.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.28.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.29.128.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.45.128.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.47.128.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.48.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.128.0.0/10 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.232.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.236.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 61.240.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.4.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.8.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.16.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.24.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.28.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.32.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 121.36.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.6.64.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.16.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.20.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.29.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.40.128.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.42.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.47.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.64.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.72.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.88.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.108.8.0/21 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.112.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.128.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.147.128.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.156.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.160.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.162.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.172.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.192.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.196.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.200.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.220.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.224.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.226.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.228.0.0/14 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.232.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.240.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.242.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.243.192.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.248.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.249.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.250.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 124.254.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.31.192.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.32.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.58.128.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.62.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.64.0.0/11 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.96.0.0/15 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.98.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.104.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.112.0.0/12 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.171.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.208.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.210.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.213.0.0/17 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.215.0.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.216.0.0/13 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 125.254.128.0/18 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 134.196.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 159.226.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 161.207.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 162.105.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 166.111.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 167.139.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 168.160.0.0/16 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 192.83.122.0/24 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 192.83.169.0/24 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 192.124.154.0/24 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 192.188.170.0/24 to ${ip}

${fwcmd} add ${rule} ${action} log ${proto} from 198.17.7.0/24 to ${ip}

 

# Add rule here to allow SSH, GRE, PPTP, etc 

# Use a rule number above the rule variable

# Allow this box to setup TCP sessions out

${fwcmd} add 50000 allow all from ${ip} to ${any} setup

# Allow established connections back

${fwcmd} add 50001 allow all from any to ${ip} etstablished

#

# Allow PPTP connection

#

${fwcmd} add 50002 allow tcp from any to ${ip} dst-port 1723

#

${fwcmd} add 51003 allow GRE from any to ${ip}

# GRE is 47, redundant line

# ${fwcmd} add 52000 allow 47 from any to ${ip}

#

${fwcmd} add 52004 allow tcp from any to ${ip} dst-port 22

#

# Deny all and log

${fwcmd} add 65534 ${action} log ${proto} from any to any

# END

 

 

Back To Articles