--- /dev/null
+#!/bin/sh
+# Adds an IP to the IPFW drop list.
+# Only works with IPFW.
+# We use TABLE 00001. If you use this table for anything else,
+# please change it here.
+# Expect: srcip
+# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
+# Author: Daniel B. Cid - dcid @ ( at ) ossec.net
+# Last modified: May 07, 2006
+
+UNAME=`uname`
+IPFW="/sbin/ipfw"
+ARG1=""
+ARG2=""
+ACTION=$1
+USER=$2
+IP=$3
+TABLE_ID=00001
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+PWD=`pwd`
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+
+# Checking for an IP
+if [ "x${IP}" = "x" ]; then
+ echo "$0: <action> <username> <ip>"
+ exit 1;
+fi
+
+
+
+# Blocking IP
+if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
+ echo "$0: Invalid action: ${ACTION}"
+ exit 1;
+fi
+
+
+# We should run on FreeBSD
+# We always use table 00001 and rule id 00001.
+if [ "X${UNAME}" = "XFreeBSD" ]; then
+ ls ${IPFW} >> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ exit 0;
+ fi
+
+ # Check if our table is set
+ ${IPFW} show | grep "^00001" | grep "table(1)" >/dev/null 2>&1
+ if [ ! $? = 0 ]; then
+ # We need to add the table
+ ${IPFW} -q 00001 add deny ip from table\(${TABLE_ID}\) to any
+ ${IPFW} -q 00001 add deny ip from any to table\(${TABLE_ID}\)
+ fi
+
+
+ # Executing and exiting
+ ${IPFW} -q table ${TABLE_ID} ${ACTION} ${IP}
+
+ exit 0;
+fi
+
+
+# Not FreeBSD
+exit 1;