2 # Adds an IP to the IPFW drop list.
3 # Only works with IPFW.
5 # Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
6 # Author: Daniel B. Cid - dcid @ ( at ) ossec.net
7 # Author: Charles W. Kefauver ckefauver @ ( at ) ibacom.es
8 # changed for Mac OS X compatibility
9 # Last modified: August 14, 2006
19 # warning do NOT add leading 0 in SET_ID
26 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
30 if [ "x${IP}" = "x" ]; then
31 echo "$0: <action> <username> <ip>"
36 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
37 echo "$0: Invalid action: ${ACTION}"
42 # We should run on Darwin
43 if [ "X${UNAME}" = "XDarwin" ]; then
44 ls ${IPFW} >> /dev/null 2>&1
50 # Executing and exiting
51 if [ "x${ACTION}" = "xadd" ]; then
52 #${IPFW} set disable ${SET_ID}
53 ${IPFW} -q add set ${SET_ID} deny ip from ${IP} to any
54 ${IPFW} -q add set ${SET_ID} deny ip from any to ${IP}
55 ${IPFW} -q set enable ${SET_ID}
59 if [ "x${ACTION}" = "xdelete" ]; then
60 #${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" >/dev/null 2>&1
61 #get list of ipfw rules ID to delete
62 RULES_TO_DELETE=`${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" | awk '{print $1}'`
64 for RULE_ID in ${RULES_TO_DELETE}
66 ${IPFW} -q delete ${RULE_ID}