Anti-Malware Firewall Ruleset's

[Hack5190]

Proofpoint works with the open source community to maintain a list of IP’s belonging to C&C servers (as identified by abuse.ch), Spam nets (as identified by Spamhaus) and Top Attackers (as listed by DShield).

The lists are continually updated, free and available in several firewall rule formats. If your PPC is not behind a firewall you should consider adding these to your ipfw ruleset. You can view and download the rules from here http://rules.emergingthreats.net/fwrules/ .

The emerging-IPF rules need a little tweaking to make them usable by the PPC ipfw. You can automate editing by using the curl and awk commands in the following shell script or even automate the process by downloading the following shell script (and editing as needed for your enviroment).

#
# Copy the first part of the filewall rule set
#
cat 1.ipfw.conf > ipfw.conf
echo 'Downloading new firewall rules'
echo
#
# http://rules.emergingthreats.net/fwrules/emerging-IPF-DROP.rules
#
curl -o emerging-IPF-DROP.rules.txt --insecure http://rules.emergingthreats.net/fwrules/emerging-IPF-DROP.rules
cat emerging-IPF-DROP.rules.txt | sed "s/[[:<:]]block\ in\ log\ quick[[:>:]]/add\ deny\ ip/g" >>  ipfw.conf
echo
#
# http://rules.emergingthreats.net/fwrules/emerging-IPF-DSHIELD.rules
#
curl -o emerging-IPF-DSHIELD.rules.txt --insecure http://rules.emergingthreats.net/fwrules/emerging-IPF-DSHIELD.rules
cat emerging-IPF-DSHIELD.rules.txt | sed "s/[[:<:]]block\ in\ log\ quick[[:>:]]/add\ deny\ ip/g" >>  ipfw.conf
echo
#
# http://rules.emergingthreats.net/fwrules/emerging-IPF-CC.rules
#
curl -o emerging-IPF-CC.rules.txt --insecure http://rules.emergingthreats.net/fwrules/emerging-IPF-CC.rules
cat emerging-IPF-CC.rules.txt | sed "s/[[:<:]]block\ in\ log\ quick[[:>:]]/add\ deny\ ip/g" >>  ipfw.conf
echo
#
# Copy the reminder of the firewall rule set
#
cat 2.ipfw.conf >> ipfw.conf
#
# Update the user
#
echo 'ipfw.conf file is built and ready for use'
echo

If you need a refresher on firewalling Leopard read this posting.