APF Firewall blocking a range of IPs

arrow02

Active Member
Feb 23, 2003
34
0
156
I would like to block the I.Ps of a certain ISP.

I am using APF Firewall.

Can someone tell me how to block this list of I.Ps?

Or possible tell me where to find an example of how to block a range of I.Ps with APF.

Thanks for the help,
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
From http://www.rfxnetworks.com/apf/README

APF comes packaged with two trust based files for the inclusion of IP's. These
files allow two trust levels that are, allow and deny.

The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules

The format of these files are line-seperated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24
For a whole ISP you need to establish their network blocks (from ARIN/APNIC/RIPE) and then list them in your /etc/apf/deny_hosts.rules, usefully the IP assignators tell you the CIDR's to use.
 

arrow02

Active Member
Feb 23, 2003
34
0
156
Thanks chirpy,

I somehow missed that.

I believe this is the block of ips I want to block:
inetnum: 203.197.0.0 - 203.197.255.255

Would you happen to know how I would list them in /etc/apf/deny_hosts.rules?

Sorry this is somewhat new to me.

Thanks again for your help
 

homeuser55

Active Member
Feb 16, 2003
34
0
156
Wisconsin
chirpy,

Do you know of a script that will check incoming IP's and determine if they are attacking, then auto block them if they are attacking and also send an email of the attacking IP’s?
 

arrow02

Active Member
Feb 23, 2003
34
0
156
APF Firewall Blocking

Thank you again chirpy,

I added the IP you gave me at the bottom of /etc/apf/deny_hosts.rules.

Can you tell me is this correct?

Thanks a lot.



##
# deny_hosts
#
# Trust based rule file to define addresses that are granted all or specific
# access through the firewall.
#
# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 24.202.16.11
# 24.202.11.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flow:port:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Flow assumed as Input if not defined. Protocol assumed as TCP if not defined.
# When defining rules with protocol, flow is required.
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s - source , d - destination , flow - packet flow in/out
#
# Examples:
# outbound to destination port 23 to destination 0.0.0.0 (any)
# tcp:eek:ut:d=23:d=0.0.0.0
#
# inbound to destination port 80 from source 24.202.11.3
# in:d=80:s=24.202.11.3
#
# inbound to destination port 27015 from 24.202.11.0/24
# d=27015:s=24.202.11.0/24
#
##
203.197.0.0/16
 

haze

Well-Known Member
Dec 21, 2001
1,548
3
318
Originally posted by homeuser55
chirpy,

Do you know of a script that will check incoming IP's and determine if they are attacking, then auto block them if they are attacking and also send an email of the attacking IP’s?
Check out the antidos feature in APF: rfxnetworks.com
 

arrow02

Active Member
Feb 23, 2003
34
0
156
APF Firewall Blocking

I tried it earlier and when I restarted apf I got errors.
 

arrow02

Active Member
Feb 23, 2003
34
0
156
APF Firewall Blocking

I also tried in:d=80:s=203.197.0.0/16

Does anyone know how to configure this Blocking method for /etc/apf/deny_hosts.rules

I understand the reluctances to post for this so if you do not want to post it her please PM me.

I am just tired of playing cat-mouse with a hacker.
 

I-Web

Well-Known Member
Jul 7, 2003
138
0
166
Hi all, i need to block an isp owning the following IP addresses

64.113.96.0 - 64.113.127.255

What would i need to enter into my deny hosts file to ensure they are blocked from everything on my servers?


Thanks in advance