I\'m working on an prototype that can spot network scanners, which is working an

Question

I'm working on an prototype that can spot network scanners, which is working and it spits out the IP address of the scanners, but I need to block them now.

Is there any way to block an IP address from the terminal, it needs to be done automatically by the app so preferably some terminal command that I can fire off and block the IP address from making any incoming connection to any port on the computer.

I'm not sure which direction to go with this, is there some native way to do this or will I need something extra?

Explanation / Answer

The most simple way to block traffic by IP address is to use pf (man pf.conf). Here's a simple script to help you get started.

Warning Be sure to read the manual pages for more information and before running this.

# enable: sudo pfctl -e -f pf.rules
# disable: sudo pfctl -d
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
scrub in all no-df
table <blocklist> persist
block in log
block in log quick from no-route to any
pass out proto tcp from any to any keep state
pass out proto udp from any to any keep state
block log on en0 from {<blocklist>} to any

You can use pfctl -t blocklist -T add 1.2.3.4 to add hosts to the blacklist and pfctl -t blocklist -T show to view the blacklist itself. To view the pf log, create a network interface with sudo ifconfig pflog0 create and dump its packets with sudo tcpdump -ni pflog0.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects