# Address List



## LuizBiazus (Jun 29, 2013)

Hello _b_rothers,

_I w_ant to know if there is any way to create an address list based _o_n _IP_ connection. *F*or example: if the _IP_ 200.200.200.200 receive_s_ 500 connections it will be inserted in one address list, the main reason is _to_ avoid worms to pass thr_o_u_gh_ one proxy like _S_quid*.* *S*o *I* want to put this address list in one "accept" before the proxy redirection rule.

Cheers,


----------



## wblock@ (Jun 29, 2013)

Can you please restate the objective in a general way?  Do you mean you want to block addresses that attempt to connect too many times?


----------



## LuizBiazus (Jun 30, 2013)

*H*ello buddy!

*W*ell, some machines in the network could be infected by worms that normally are used to attack one pre-determined host. *I* want _to_ detect the hosts and put them in one address list and make these destination hosts not pass thr*ough* the proxy,  because too many connections could crash the proxy system.

*S*o in this case *I* want a direct connection between the customer and this host, avoiding the transparent proxy port redirection.

*A*nyway, thanks for your interest in helping


----------



## wblock@ (Jun 30, 2013)

So you're worried about machines inside your network?  I'm sure that can be done with IPFW, but don't know how.  With pf(8), it's easy.  Create a persistent table of IP addresses or ranges and block everything in that table.  It's up to you to decide how to detect those machines.  Once you have the IP addresses, use pfctl(8) to add them to the table.


----------



## LuizBiazus (Jul 1, 2013)

*H*ello friend,

Yes*,* the problem is the infected machines inside the network, but how can *I* make a list using pf, based *o*n _the_ number _of_ connections _tp_ port 80 in one determined _IP_ address? *M*aybe *I* can make a mix with pf and ipfw


----------



## wblock@ (Jul 1, 2013)

It is not the firewall that would detect the number of connections. The firewall will do the blocking. As I said, you'll have to come up with something else to count the connections. Probably something that asks squid, if that's the proxy.


----------

