1#!/bin/sh 2#echo "run $@" 1>&2 3#set -x 4# $1 command 5# $2 rulename 6# $3 protocol 7# $4 address 8# $5 mask 9# $6 port 10# $7 id 11 12pf= 13if [ -f "/etc/ipfw-blocklist.rc" ]; then 14 pf="ipfw" 15 . /etc/ipfw-blocklist.rc 16 ipfw_offset=${ipfw_offset:-2000} 17fi 18 19if [ -z "$pf" ]; then 20 for f in npf pf ipfilter ipfw; do 21 if [ -x /etc/rc.d/$f ]; then 22 if /etc/rc.d/$f status >/dev/null 2>&1; then 23 pf="$f" 24 break 25 fi 26 elif [ -f "/etc/$f.conf" ]; then 27 # xxx assume a config file means it can be enabled -- 28 # and the first one wins! 29 pf="$f" 30 break 31 fi 32 done 33fi 34 35if [ -z "$pf" -a -x "/sbin/iptables" ]; then 36 pf="iptables" 37fi 38 39if [ -z "$pf" ]; then 40 echo "$0: Unsupported packet filter" 1>&2 41 exit 1 42fi 43 44flags= 45if [ -n "$3" ]; then 46 raw_proto="$3" 47 proto="proto $3" 48 if [ $3 = "tcp" ]; then 49 flags="flags S/SAFR" 50 fi 51fi 52 53if [ -n "$6" ]; then 54 raw_port="$6" 55 port="port $6" 56fi 57 58addr="$4" 59mask="$5" 60case "$4" in 61::ffff:*.*.*.*) 62 if [ "$5" = 128 ]; then 63 mask=32 64 addr=${4#::ffff:} 65 fi;; 66esac 67 68case "$1" in 69add) 70 case "$pf" in 71 ipfilter) 72 # N.B.: If you reload /etc/ipf.conf then you need to stop and 73 # restart blocklistd (and make sure blocklistd_flags="-r"). 74 # This should normally already be implemented in 75 # /etc/rc.d/ipfilter, but if then not add the following lines to 76 # the end of the ipfilter_reload() function: 77 # 78 # if checkyesnox blocklistd; then 79 # /etc/rc.d/blocklistd restart 80 # fi 81 # 82 # XXX we assume the following rule is present in /etc/ipf.conf: 83 # (should we check? -- it probably cannot be added dynamically) 84 # 85 # block in proto tcp/udp from any to any head blocklistd 86 # 87 # where "blocklistd" is the default rulename (i.e. "$2") 88 # 89 # This rule can come before any rule that logs connections, 90 # etc., and should be followed by final rules such as: 91 # 92 # # log all as-yet unblocked incoming TCP connection 93 # # attempts 94 # log in proto tcp from any to any flags S/SAFR 95 # # last "pass" match wins for all non-blocked packets 96 # pass in all 97 # pass out all 98 # 99 # I.e. a "pass" rule which will be the final match and override 100 # the "block". This way the rules added by blocklistd will 101 # actually block packets, and prevent logging of them as 102 # connections, because they include the "quick" flag. 103 # 104 # N.b.: $port is not included/used in rules -- abusers are cut 105 # off completely from all services! 106 # 107 # Note RST packets are not returned for blocked SYN packets of 108 # active attacks, so the port will not appear to be closed. 109 # This will probably give away the fact that a firewall has been 110 # triggered to block connections, but it prevents generating 111 # extra outbound traffic, and it may also slow down the attacker 112 # somewhat. 113 # 114 # Note also that we don't block all packets, just new attempts 115 # to open connections (see $flags above). This allows us to do 116 # counterespionage against the attacker (or continue to make use 117 # of any other services that might be on the same subnet as the 118 # supposed attacker). However it does not kill any active 119 # connections -- we rely on the reporting daemon to do its own 120 # protection and cleanup. 121 # 122 # N.B.: The rule generated here must exactly match the 123 # corresponding rule generated for the "rem" command below! 124 # 125 echo block in log quick $proto \ 126 from $addr/$mask to any $flags group $2 | \ 127 /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK 128 ;; 129 130 ipfw) 131 # use $ipfw_offset+$port for rule number 132 rule=$(($ipfw_offset + $6)) 133 tname="port$6" 134 /sbin/ipfw table $tname create type addr 2>/dev/null 135 /sbin/ipfw -q table $tname add "$addr/$mask" 136 # if rule number $rule does not already exist, create it 137 /sbin/ipfw show $rule >/dev/null 2>&1 || \ 138 /sbin/ipfw add $rule drop $3 from \ 139 table"("$tname")" to any dst-port $6 >/dev/null && \ 140 echo OK 141 ;; 142 143 iptables) 144 if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then 145 /sbin/iptables --new-chain "$2" 146 fi 147 /sbin/iptables --append INPUT --proto "$raw_proto" \ 148 --dport "$raw_port" --jump "$2" 149 /sbin/iptables --append "$2" --proto "$raw_proto" \ 150 --source "$addr/$mask" --dport "$raw_port" --jump DROP 151 echo OK 152 ;; 153 154 npf) 155 /sbin/npfctl rule "$2" add block in final $proto from \ 156 "$addr/$mask" to any $port 157 ;; 158 159 pf) 160 # if the filtering rule does not exist, create it 161 /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ 162 grep -q "<port$6>" || \ 163 echo "block in quick $proto from <port$6> to any $port" | \ 164 /sbin/pfctl -a "$2/$6" -f - 165 # insert $ip/$mask into per-protocol/port anchored table 166 /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ 167 /sbin/pfctl -qk "$addr" && echo OK 168 ;; 169 170 esac 171 ;; 172rem) 173 case "$pf" in 174 ipfilter) 175 # N.B.: The rule generated here must exactly match the 176 # corresponding rule generated for the "add" command above! 177 # 178 echo block in log quick $proto \ 179 from $addr/$mask to any $flags group $2 | \ 180 /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK 181 ;; 182 183 ipfw) 184 /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ 185 echo OK 186 ;; 187 188 iptables) 189 if /sbin/iptables --list "$2" >/dev/null 2>&1; then 190 /sbin/iptables --delete "$2" --proto "$raw_proto" \ 191 --source "$addr/$mask" --dport "$raw_port" \ 192 --jump DROP 193 fi 194 echo OK 195 ;; 196 197 npf) 198 /sbin/npfctl rule "$2" rem-id "$7" 199 ;; 200 201 pf) 202 /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ 203 echo OK 204 ;; 205 206 esac 207 ;; 208flush) 209 case "$pf" in 210 ipfilter) 211 # 212 # N.B. WARNING: This is obviously not reentrant! 213 # 214 # First we flush all the rules from the inactive set, then we 215 # reload the ones that do not belong to the group "$2", and 216 # finally we swap the active and inactive rule sets. 217 # 218 /sbin/ipf -I -F a 219 # 220 # "ipf -I -F a" also flushes active accounting rules! 221 # 222 # Note that accounting rule groups are unique to accounting 223 # rules and have nothing to do with filter rules, though of 224 # course theoretically one could use the same group name for 225 # them too. 226 # 227 # In theory anyone using any such accounting rules should have a 228 # wrapper /etc/rc.conf.d/blocklistd script (and corresponding 229 # /etc/rc.conf.d/ipfilter script) that will record and 230 # consolidate the values accumulated by such accounting rules 231 # before they are flushed, since otherwise their counts will be 232 # lost forever. 233 # 234 /usr/sbin/ipfstat -io | fgrep -v "group $2" | \ 235 /sbin/ipf -I -f - >/dev/null 2>&1 236 # 237 # This MUST be done last and separately as "-s" is executed 238 # _while_ the command arguments are being processed! 239 # 240 /sbin/ipf -s && echo OK 241 ;; 242 243 ipfw) 244 /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK 245 ;; 246 247 iptables) 248 if /sbin/iptables --list "$2" >/dev/null 2>&1; then 249 /sbin/iptables --flush "$2" 250 fi 251 echo OK 252 ;; 253 254 npf) 255 /sbin/npfctl rule "$2" flush 256 ;; 257 258 pf) 259 # dynamically determine which anchors exist 260 for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do 261 /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 262 /sbin/pfctl -a "$anchor" -F rules 263 done 264 echo OK 265 ;; 266 esac 267 ;; 268*) 269 echo "$0: Unknown command '$1'" 1>&2 270 exit 1 271 ;; 272esac 273