Blocking a domain with SuseFirewall2
Hi, I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/ I guess there is a simple way to do it. Thanks in advance. Raphael -- ___________________________________________________________ Raphael Leplae, Ph.D. Research Scientist SCMBB - ULB Tel: +32 2 6505499 Blvd du Triomphe - CP 263 Fax: +32 2 6505425 1050 Brussels Belgium SCMBB Home Page http://www.scmbb.ulb.ac.be ACLAME - The Prokaryotic Mobilome http://aclame.ulb.ac.be ___________________________________________________________
/ 2004-08-27 16:28:33 +0200 \ Raphael Leplae:
Hi,
I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
either you mean 123.123.123.* ... then it is simply FW_REJECT_IP=123.123.123.0/24 or you mean indeed "*.123.123.123" (which I think does not make any sense, but ...) then it is for _i in `seq 0 255` ; do FW_REJECT_IP="$FW_REJECT_IP $_i/32" done :-)
On Friday 27 August 2004 16:43, Lars Ellenberg wrote:
/ 2004-08-27 16:28:33 +0200
\ Raphael Leplae:
Hi,
I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
either you mean 123.123.123.* ... then it is simply FW_REJECT_IP=123.123.123.0/24
Ooops, yes I meant 123.123.123.* I tested the FW_REJECT_IP key but doesn't seems having effect... My problem is that I want to block the following: 212.27.41.* These IPs are matching a "web robot" for a web search engine that doesn't recognise the robots.txt rules on my web server since they processes my cgi scripts despite my 'Disallow:/cgi-bin/' rule and cripple my server. Other "robots" behave ok. So the best is to stop them using the firewall. So I added in /etc/sysconfig/SuSEfirewall2 the line: FW_REJECT_IP=212.27.41.0/24 I restarted the suse firewall: /etc/init.d/SuSEfirewall2_final restart But the access is not blocked, the web server keeps being hammered by these 212.27.41.* :-( If the FW_REJECT_IP keyword is not recognised by SuseFirewall2, would an iptable line be recognised? It seems more complicated than I though... Thanks for the quick answer. Raphael -- ___________________________________________________________ Raphael Leplae, Ph.D. Research Scientist SCMBB - ULB Tel: +32 2 6505499 Blvd du Triomphe - CP 263 Fax: +32 2 6505425 1050 Brussels Belgium SCMBB Home Page http://www.scmbb.ulb.ac.be ACLAME - The Prokaryotic Mobilome http://aclame.ulb.ac.be ___________________________________________________________
/ 2004-08-27 18:20:17 +0200 \ Raphael Leplae:
Now if I need to block a specific domain, let say *.123.123.123, is there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ? I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
either you mean 123.123.123.* ... then it is simply FW_REJECT_IP=123.123.123.0/24
Ooops, yes I meant 123.123.123.* I tested the FW_REJECT_IP key but doesn't seems having effect...
My problem is that I want to block the following: 212.27.41.* These IPs are matching a "web robot" for a web search engine that doesn't recognise the robots.txt rules on my web server since they processes my cgi scripts despite my 'Disallow:/cgi-bin/' rule and cripple my server. Other "robots" behave ok. So the best is to stop them using the firewall. So I added in /etc/sysconfig/SuSEfirewall2 the line: FW_REJECT_IP=212.27.41.0/24
I restarted the suse firewall: /etc/init.d/SuSEfirewall2_final restart
But the access is not blocked, the web server keeps being hammered by these 212.27.41.* :-(
If the FW_REJECT_IP keyword is not recognised by SuseFirewall2, would an iptable line be recognised? It seems more complicated than I though...
well, it "officially" can only do what is documented in /etc/sysconfig/SuSEfirewall2 I did not look there for a longer time, so I thought that would have been added meanwhile. but you obviously only made up a new variable the script does not know about... /sbin/SuSEfirewall2 is "just" a shell script. it does only know about some variables. if you define others, then they are just variables, but are not interpreted in any way. unless you add that functionality there... (put something like this right after the section for "Trusted Network handling", before the section titled "IP Stuff" for NET in $FW_REJECT_IP ; do # networks can be on any interface ... for CHAIN in input_ext input_dmz input_int; do $IPTABLES -A $CHAIN -j "$REJECT" -s $NET # hm. or rather $DROP ?? done done ) if you don't like or are too confused by the SuSEfirewall2 system, there are plenty of other iptables "firewall" scripts out there, some include guis, some invent a new "meta language"... some may be "better" or "worse" in this way or an other. if you want to go with sfw2, and you want your definitions to be persistent, there are various "custom" hooks (see 25., e.g. in FW_CUSTOM=/etc/sysconfig/scripts/SuSEfirewall2-custom) and of course, you can always add/delete rules at runtime by using iptables by hand. lge
FW_REJECT_IP=123.123.123.0/24
Interesting. Please tell us what suse version and SuSEfirewall2 version that is. The latest available for 9.1 pro is SuSEfirewall2-3.1-310.3.noarch.rpm from the updates, and none of the files it contains have a FW_REJECT_IP string anywhere. Using the custom script option is the quickest way. Blocking obnoxious IPs has been on my wish list since day 1, but I'm not quite sure what I should make of SuSEfirewall2 as for the past years it seems minimally maintained, but not developed. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
There may be other ways to tackle the problem, e.g.: "If you want to block requests by IP addr. can use the "deny from" directive in Apache's conf files or in a .htacess file. www.pantz.org/webservers/apache/tuningtips.shtml http://httpd.apache.org/docs-2.0/mod/quickreference.html CGI wrappers http://builder.com.com/5100-6371-5061657-2.html (suEXEC and aliasing CGI directory)
Volker Kuhlmann wrote:
FW_REJECT_IP=123.123.123.0/24
Interesting. Please tell us what suse version and SuSEfirewall2 version that is. The latest available for 9.1 pro is SuSEfirewall2-3.1-310.3.noarch.rpm from the updates, and none of the files it contains have a FW_REJECT_IP string anywhere. Using the custom script option is the quickest way.
Such a feature will be available in 9.2.
Blocking obnoxious IPs has been on my wish list since day 1, but I'm not quite sure what I should make of SuSEfirewall2 as for the past years it seems minimally maintained, but not developed.
I've cleaned up SuSEfirewall2 quite a bit for 9.2, so it is developed again. You can find the current development version in www.suse.de/~lnussel or in my people/ directory on the ftp. Feedback or patches are welcome of course :-) cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX AG, Development V_/_ http://www.suse.de/
participants (5)
-
Keith Wilkinson -
Lars Ellenberg -
Ludwig Nussel -
Raphael Leplae -
Volker Kuhlmann