Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ipf rules 1

Status
Not open for further replies.
benp07

benp07

Technical User
Aug 31, 2001
87
0
0
US
i would like to block the people on my network from going to a web site
for know we will say gameshownetwork.com
i tried to use
block in quick on sis0 from 216.133.253.100 to any

and i also tried

block out quick from any to 216.133.253.100

and

block in quick on sis0 proto tcp from 216.133.253.100 to any

i am using the command to start the new rules
ipf -Fa -vf /etc/ipf.rules
or
ipf -Fa /etc/ipf.rules

i am running freebsd 4.7
with a class c network

thanks for any help
Ben
 
Sort by date Sort by votes
Is the machine with the filter doing NAT or acting as the gateway for your network? If it's not, I don't think you're going to be able to do what you're looking to do.
 
Upvote 0 Downvote
Some sites have multiple IP's pointing to one url so you may have to do a little more work to completely block the site.

Note: You can also redirect to another IP. This can be a page on your website that states company policy for Internet usage.

GGortt
 
Upvote 0 Downvote
Can you post the entire ipf.rules? (A prior matching [tt]pass out quick[/tt] would stop your [tt]block in quick[/tt] from ever getting reached, for example.)
 
Upvote 0 Downvote
In my prior post, [tt]block in quick[/tt] should have read [tt]block out quick[/tt].
 
Upvote 0 Downvote
#########################################################
# #
# Firewalling rules #
# #
#########################################################

#################################
# Interfaces #
# #
# sis0 -> External #
# rl0 -> Internal #
# #
#################################

######################################################################
##### Pass traffic on loopback interface, especially for djbdns #####
######################################################################

pass in quick on lo0 all
pass out quick on lo0 all

#################################
##### Pass all traffic out #####
#################################

pass in quick on rl0 all
pass out quick proto tcp all keep state
pass out quick proto udp all keep state

######################################################
##### drop any IP packets with options set ##########
##### ipopts include lsrr and ssrr #####
######################################################

block in quick all with ipopts

###########################################
##### Block any incoming IP fragments #####
###########################################

block in quick all with frag

#####################################################################
##### Block nmap OS fingerprinting attempts from $cr1pt k1ddi3$ #####
#####################################################################

block in quick on sis0 proto tcp all flags FUP
block in log quick on sis0 proto tcp from any to any flags SF/SFRA
block in log quick on sis0 proto tcp from any to any flags /SFRA

#########################################################
##### F00l 4r0und w1th th3 $cr1pt k1ddi3$ s0m3 m0r3 #####
#########################################################

block in log quick on sis0 proto tcp all flags SF/SFRA
block in log quick on sis0 proto tcp all flags /SFRA
block in log quick on sis0 proto tcp all flags F/SFRA
block in log quick on sis0 proto tcp all flags U/SFRAU
block in log quick on sis0 proto tcp all flags P
block in log quick on sis0 proto tcp from any to any flags FUP
block in log quick on sis0 proto tcp from any to any port = 111

###############################
##### Unroutable networks #####
###############################

block in quick on sis0 from 255.255.255.255/32 to any
block in quick on sis0 from 172.16.0.0/12 to any
block in quick on sis0 from 127.0.0.0/8 to any
block in quick on sis0 from 10.0.0.0/8 to any
block in quick on sis0 from 0.0.0.0/32 to any

####################################
##### Block ICMP to the server #####
####################################

block in quick on sis0 proto icmp from any to any icmp-type 0 keep state
block in quick on sis0 proto icmp from any to any icmp-type 3 keep state
block in quick on sis0 proto icmp from any to any icmp-type 8 keep state
block in quick on sis0 proto icmp from any to any icmp-type 11 keep state
pass in quick on rl0 proto icmp from any to any icmp-type 0 keep state
pass in quick on rl0 proto icmp from any to any icmp-type 3 keep state
pass in quick on rl0 proto icmp from any to any icmp-type 8 keep state
pass in quick on rl0 proto icmp from any to any icmp-type 11 keep state
pass out quick on rl0 proto icmp from any to any icmp-type 0 keep state
pass out quick on rl0 proto icmp from any to any icmp-type 3 keep state
pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state
pass out quick on rl0 proto icmp from any to any icmp-type 11 keep state

#####################
#### Temp Blocks ####
#####################

block in quick on sis0 from 216.133.253.100 to any

block out quick on sis0 from any to 216.133.253.100




#########################################
##### Services that need to be open #####
#########################################

pass in quick on sis0 proto tcp from any to any port = 22 keep state
pass in quick on sis0 proto tcp from any to any port = 110 keep state
pass in quick on sis0 proto tcp from any to any port = 25 keep state
pass in quick on sis0 proto tcp from any to any port = 411 keep state
pass in quick on sis0 proto tcp from any to any port = 412 keep state
pass in quick on sis0 proto udp from any to any port = 412 keep state
pass in quick on sis0 proto tcp from any to any port = 80 keep state
pass in quick on sis0 proto tcp from any to any port = 143 keep state
############################################
##### Block any other incoming traffic #####
############################################
block in quick on sis0



this is the rules that i am using

thanks alot for your help
Ben
 
Upvote 0 Downvote
Your rule:
[tt]pass out quick proto tcp all keep state[/tt]

is what's keeping things from working. It's well before your rule to block traffic to the IP address you want to restrict. The [tt]quick[/tt] keyword tells it to stop checking later rules if it matches -- which it always will.

You want to put [tt]pass out quick[/tt] after any [tt]block out quick[/tt] that you might want to happen.
 
Upvote 0 Downvote
thanks a million
i would give you about 20 stars for your help if i could
i have been pulling my hair out becuase of that
anyother suggestions you could make on my list of rules or maybe a sample rule file that you know of on the web

thanks alot !!
Ben
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

samiramiss
  • Locked
  • Question
Unfamiliar behavior of "setdscp" in IPFW
Replies
0
Views
44
samiramiss
samiramiss
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
48
minicompbx
minicompbx
alan147
  • Locked
  • Question
udev rules question
Replies
1
Views
37
Noway2
Noway2
cipherion
  • Locked
  • Question
I need some help with URL Rewriting rules
Replies
0
Views
18
cipherion
cipherion
rplatz99
  • Locked
  • Question
Can Mod_rewrite rules be in file other than httpd.conf
Replies
2
Views
16
rplatz99
rplatz99

Part and Inventory Search

Sponsor

Back
Top