From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 13:47:31 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B97DB16A403 for ; Thu, 14 Sep 2006 13:47:31 +0000 (UTC) (envelope-from regnauld@catpipe.net) Received: from moof.catpipe.net (moof.catpipe.net [195.249.214.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0247243D5D for ; Thu, 14 Sep 2006 13:47:30 +0000 (GMT) (envelope-from regnauld@catpipe.net) Received: from localhost (moof.catpipe.net [195.249.214.130]) by localhost.catpipe.net (Postfix) with ESMTP id D7E346340BA; Thu, 14 Sep 2006 15:47:28 +0200 (CEST) Received: from moof.catpipe.net ([195.249.214.130]) by localhost (moof.catpipe.net [195.249.214.130]) (amavisd-new, port 10024) with ESMTP id 07293-06; Thu, 14 Sep 2006 15:47:28 +0200 (CEST) Received: from vinyl.catpipe.net (vinyl.catpipe.net [195.249.214.189]) by moof.catpipe.net (Postfix) with ESMTP id DB02C633B50; Thu, 14 Sep 2006 15:47:27 +0200 (CEST) Received: by vinyl.catpipe.net (Postfix, from userid 1006) id 06E6E78C31; Thu, 14 Sep 2006 15:46:12 +0200 (CEST) Date: Thu, 14 Sep 2006 15:46:12 +0200 From: Phil Regnauld To: Willem Jan Withagen Message-ID: <20060914134611.GW76403@catpipe.net> References: <4509592A.3040602@digiware.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4509592A.3040602@digiware.nl> X-Operating-System: FreeBSD 6.1-PRERELEASE i386 Organization: catpipe Systems ApS User-Agent: Mutt/1.5.11 X-Virus-Scanned: amavisd-new at catpipe.net Cc: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 13:47:31 -0000 Willem Jan Withagen (wjw) writes: > > Now I'm pretty shure that ipfw does not stretch indefinitely to contain > perhaps something like 100.000 ip-numbers (would be a nice test. :) ) Actually, it should. > So I'd > like to see if there is something to do with divert and some matching on a > string in the packet to drop those packets. That will be quite expensive. Ideally ipfw/pf should allow for inspecting the contents of a packet (offset,value,[offset,value]) without leaving kernel space. > That would prevent me from having humongous set of rules in ipfw. > > Or any other suggestion that would make sense. Using pf with a table, and in ipfw as well, you can handle very large lists of IP addresses.