Updating your firewall on Linux – and blocking malware IP addresses at the same time

Firewalls on linux/*nix are somewhat complicated, but stupidly powerful. “UFW” – the “uncomplicated” firewall – is… well, it’s uncomplicated in comparison to actually dealing with iptables.

But there are ways to make it easier.

First, in /etc/ufw/applications.d/  you’ll find that there should be some (or COULD be some) nice presets for applications.  The files should have in them something like this:


(it’s at http://pastebin.com/6JNp2axv if the embed doesn’t show for you)

From there, you can call a script to invoke (and disable) the UFW/iptables rules as you like.  Here’s a simple example:


(This script is at http://pastebin.com/TEik19Rn if the embed’s broken for you.)

Now, this is a simple example. I have a slightly more comprehensive example (though it’s essentially the above script expanded) up on GitHub at https://github.com/uriel1998/ufw-iptables-archer.

The biggest change – and the cooler bit – is the other script in that repository:  I include blocklists.

These blocklists were originally developed by (and presumably still are being used by) people using it to torrent illegally… though they’re not really effective at that task.

What is useful is that the collections of blocklists (like those at I-Blocklist) have categories like “Pedophiles” (IP ranges of people who we have found to be sharing child pornography in the p2p community.) and “webexploits” (IP addresses related to current web server hack and exploit attempts).

Regardless of what you’re doing, you probably don’t want those folks poking at your computer or server.

So I also wrote a script (from a base by Kirk Kosinski) that fetches the appropriate lists, combines them into one big blocklist, sorts and removes duplicates, and then adds them to an IP set using ipset (probably available in your distribution’s repositories).

From there, you can either uncomment the last two lines of the update_ipblock script, or run the ufw_setup script to add those ranges to your firewall.

The entire repository is at https://github.com/uriel1998/ufw-iptables-archer ; I hope you find it useful!

Writing, Critiquing, and Challenges, oh my!

I've not been making the posts recently, but the challenge has still been going strong. Come write with us this
Read More
<span class='p-name'>Writing, Critiquing, and Challenges, oh my!</span>

Tracking, Advertising, Your Privacy, and this blog

Given the (hopefully temporary) defeat of net neutrality in the United States and my evolving desire to protect your privacy,
Read More
<span class='p-name'>Tracking, Advertising, Your Privacy, and this blog</span>

Four Things To Do on World Refugee Day

About every other post or tweet/toot thread I see about the way the US is treating families of immigrants has some variation of this: "But what can we do?" Here's four ways.
Read More
<span class='p-name'>Four Things To Do on World Refugee Day</span>

Never forget: This land was made for you and me

I'd like to remind you that with countries, just like people, it's easy to let the best of yourself slip away. This land was made for you and me.
Read More
<span class='p-name'>Never forget: This land was made for you and me</span>

It is time to stand.

Read More
<span class='p-name'>It is time to stand.</span>

Neo-Confederate = Current Racist

"Neo-Confederate" is an ugly euphemism, nothing more.
Read More
<span class='p-name'>Neo-Confederate = Current Racist</span>

A Father’s Day Wish. Copy, share, repeat.

Read More
<span class='p-name'>A Father’s Day Wish. Copy, share, repeat.</span>

Weekends are writing time.

The challenge has still been going strong. Come write with us this weekend!
Read More
<span class='p-name'>Weekends are writing time.</span>

There is no perfect candidate. There is only the best one available.

Oh. My. Sweet. Lord. We're already seeing it. The threats that if Democrats aren't "pure" enough, then they're not getting the
Read More
<span class='p-name'>There is no perfect candidate. There is only the best one available.</span>

If there’s one Nazi (or a racist) at the table…

Because this post by David Avallone needs signal-boosted outside of Facebook (or Twitter) alone: "As we say in Germany, if there’s
Read More
<span class='p-name'>If there’s one Nazi (or a racist) at the table…</span>

Popular posts:

  • HOWTO Make Your Hamburger Helper Better
  • If there's one Nazi (or a racist) at the table...
  • The Songs That Chronicle Our Lives
  • Word Porn Quotes
  • I am not a number; I am a free man, OR, why you should never rely on social media
  • It's not being "Awkward", and the difference between Excuses and Explanations
  • I really like you, but I have to break up with you before I don't.