Block IP addresses with ipfw

1. Correct rules need to be reestablished every reboot. It will not directly affect other rules, but can indirectly (for instance, if another rule allowed the IP for whatever reason, this might block the IP...)

2. You're looking for the ever popular fail2ban, which reads logs files and bans IPs of people doing "bad" things.

Also, you don't really want too keep adding rules for each individual ban, this would quickly pollute the rules. You can add a rule to block a table however, then add the IPs to the table. A table is just a list of IPs so you can easily apply rules to the whole table rather than specifying them all individually.

For example, I have a 'default' firewall script that I use, the first two rules in this script are:

00030 deny ip from "table(1)" to me
00031 deny ip from "table(2)" to me

The keyword "me" means any of my local IP address. Table 1 is for Fail2Ban, when it finds an IP it doesn't like, it adds the IP to that table for a while. Table 2 is for Spamhaus's DROP list, a list of known professional spam systems (see their website for details).

You can add IPs to a table manually with this command:

ipfw table 2 add

On my servers Table 2 is populated automatically at start-up by a script /usr/local/etc/rc.d/spamhaus-drop as follows:

#!/bin/csh
fetch -i /tmp/drop.lasso -o /tmp/drop.lasso "http://www.spamhaus.org/drop/drop.lasso"
sed -i '' "s/;.*//" /tmp/drop.lasso
ipfw table 2 flush
foreach IP ( `cat /tmp/drop.lasso` )
        ipfw table 2 add $IP
end

I highly encourage you to write your own script to configure your firewall. It's pretty easy in FreeBSD with ipfw, and I wouldn't bother with a GUI (I know that sounds hard when it's all new, but the basics are easier than you think).

My configuration script is in /etc/ipfw.rules and goes like this:

#!/bin/sh

#FOR KEAIRA  - The computer this script was customized for.

ipfw -q -f flush       # Delete all rules
cmd="ipfw add"

# Ban tables
$cmd 00030 deny ip from "table(1)" to me
$cmd 00031 deny ip from "table(2)" to me

# Statefull firewall config, more secure
$cmd 00060 check-state

# Allow outbound traffic
$cmd 00130 allow ip from me to any keep-state

# SSH - I have SSH on port 2222 to keep the script kiddies out.
$cmd 11020 allow tcp from any to me dst-port 2222 setup keep-state

# DNS
$cmd 11090 allow tcp from any to me domain setup keep-state
$cmd 11092 allow udp from any to me domain

# NTP
$cmd 11100 allow tcp from any to me ntp setup keep-state
$cmd 11101 allow udp from any to me ntp

# General Network - ICMP & IGMP
$cmd 61001 allow icmp from any to any
$cmd 61002 allow igmp from any to any

# Deny the rest
$cmd 65500 deny ip from any to any

This server is running SSH (on an alternate port), DNS, and NTP (time). The rest is just generic stuff I put in all of my firewall scripts. If you have other services you need to open, just let me know and I'll customize the example. Most service names you can get from /etc/services though, which makes writing these very easy. It's not strictly necessary for each rule to have a different number, but it makes managing them easier. Rules are processed in order by number, but otherwise there's no significance to the numbers.

This script is "activated" by putting these lines in /etc/rc.conf

firewall_enable="YES"                   # Firewall On
firewall_script="/etc/ipfw.rules"       # Firewall Script

Setting up Fail2Ban is a bit more work, but it's pretty straight forward too. If you want more details on that, just ask.