#!/bin/sh #echo "run $@" 1>&2 #set -x # $1 command # $2 rulename # $3 protocol # $4 address # $5 mask # $6 port # $7 id pf= if [ -f "/etc/ipfw-blocklist.rc" ]; then pf="ipfw" . /etc/ipfw-blocklist.rc ipfw_offset=${ipfw_offset:-2000} fi if [ -z "$pf" ]; then for f in npf pf ipfilter ipfw; do if [ -x /etc/rc.d/$f ]; then if /etc/rc.d/$f status >/dev/null 2>&1; then pf="$f" break fi elif [ -f "/etc/$f.conf" ]; then # xxx assume a config file means it can be enabled -- # and the first one wins! pf="$f" break fi done fi if [ -z "$pf" -a -x "/sbin/iptables" ]; then pf="iptables" fi if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi flags= if [ -n "$3" ]; then raw_proto="$3" proto="proto $3" if [ $3 = "tcp" ]; then flags="flags S/SAFR" fi fi if [ -n "$6" ]; then raw_port="$6" port="port $6" fi addr="$4" mask="$5" case "$4" in ::ffff:*.*.*.*) if [ "$5" = 128 ]; then mask=32 addr=${4#::ffff:} fi;; esac case "$1" in add) case "$pf" in ipfilter) # N.B.: If you reload /etc/ipf.conf then you need to stop and # restart blocklistd (and make sure blocklistd_flags="-r"). # This should normally already be implemented in # /etc/rc.d/ipfilter, but if then not add the following lines to # the end of the ipfilter_reload() function: # # if checkyesnox blocklistd; then # /etc/rc.d/blocklistd restart # fi # # XXX we assume the following rule is present in /etc/ipf.conf: # (should we check? -- it probably cannot be added dynamically) # # block in proto tcp/udp from any to any head blocklistd # # where "blocklistd" is the default rulename (i.e. "$2") # # This rule can come before any rule that logs connections, # etc., and should be followed by final rules such as: # # # log all as-yet unblocked incoming TCP connection # # attempts # log in proto tcp from any to any flags S/SAFR # # last "pass" match wins for all non-blocked packets # pass in all # pass out all # # I.e. a "pass" rule which will be the final match and override # the "block". This way the rules added by blocklistd will # actually block packets, and prevent logging of them as # connections, because they include the "quick" flag. # # N.b.: $port is not included/used in rules -- abusers are cut # off completely from all services! # # Note RST packets are not returned for blocked SYN packets of # active attacks, so the port will not appear to be closed. # This will probably give away the fact that a firewall has been # triggered to block connections, but it prevents generating # extra outbound traffic, and it may also slow down the attacker # somewhat. # # Note also that we don't block all packets, just new attempts # to open connections (see $flags above). This allows us to do # counterespionage against the attacker (or continue to make use # of any other services that might be on the same subnet as the # supposed attacker). However it does not kill any active # connections -- we rely on the reporting daemon to do its own # protection and cleanup. # # N.B.: The rule generated here must exactly match the # corresponding rule generated for the "rem" command below! # echo block in log quick $proto \ from $addr/$mask to any $flags group $2 | \ /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK ;; ipfw) # use $ipfw_offset+$port for rule number rule=$(($ipfw_offset + $6)) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" # if rule number $rule does not already exist, create it /sbin/ipfw show $rule >/dev/null 2>&1 || \ /sbin/ipfw add $rule drop $3 from \ table"("$tname")" to any dst-port $6 >/dev/null && \ echo OK ;; iptables) if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then /sbin/iptables --new-chain "$2" fi /sbin/iptables --append INPUT --proto "$raw_proto" \ --dport "$raw_port" --jump "$2" /sbin/iptables --append "$2" --proto "$raw_proto" \ --source "$addr/$mask" --dport "$raw_port" --jump DROP echo OK ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port ;; pf) # if the filtering rule does not exist, create it /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ grep -q "" || \ echo "block in quick $proto from to any $port" | \ /sbin/pfctl -a "$2/$6" -f - # insert $ip/$mask into per-protocol/port anchored table /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ /sbin/pfctl -qk "$addr" && echo OK ;; esac ;; rem) case "$pf" in ipfilter) # N.B.: The rule generated here must exactly match the # corresponding rule generated for the "add" command above! # echo block in log quick $proto \ from $addr/$mask to any $flags group $2 | \ /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK ;; ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ echo OK ;; iptables) if /sbin/iptables --list "$2" >/dev/null 2>&1; then /sbin/iptables --delete "$2" --proto "$raw_proto" \ --source "$addr/$mask" --dport "$raw_port" \ --jump DROP fi echo OK ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; pf) /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ echo OK ;; esac ;; flush) case "$pf" in ipfilter) # # N.B. WARNING: This is obviously not reentrant! # # First we flush all the rules from the inactive set, then we # reload the ones that do not belong to the group "$2", and # finally we swap the active and inactive rule sets. # /sbin/ipf -I -F a # # "ipf -I -F a" also flushes active accounting rules! # # Note that accounting rule groups are unique to accounting # rules and have nothing to do with filter rules, though of # course theoretically one could use the same group name for # them too. # # In theory anyone using any such accounting rules should have a # wrapper /etc/rc.conf.d/blocklistd script (and corresponding # /etc/rc.conf.d/ipfilter script) that will record and # consolidate the values accumulated by such accounting rules # before they are flushed, since otherwise their counts will be # lost forever. # /usr/sbin/ipfstat -io | fgrep -v "group $2" | \ /sbin/ipf -I -f - >/dev/null 2>&1 # # This MUST be done last and separately as "-s" is executed # _while_ the command arguments are being processed! # /sbin/ipf -s && echo OK ;; ipfw) /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK ;; iptables) if /sbin/iptables --list "$2" >/dev/null 2>&1; then /sbin/iptables --flush "$2" fi echo OK ;; npf) /sbin/npfctl rule "$2" flush ;; pf) # dynamically determine which anchors exist for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush /sbin/pfctl -a "$anchor" -F rules done echo OK ;; esac ;; *) echo "$0: Unknown command '$1'" 1>&2 exit 1 ;; esac