From owner-freebsd-net@FreeBSD.ORG Fri Sep 15 11:52:05 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6317616A403 for ; Fri, 15 Sep 2006 11:52:05 +0000 (UTC) (envelope-from wjw@withagen.nl) Received: from freebee.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id B471843D49 for ; Fri, 15 Sep 2006 11:52:04 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.67] (opteron.digiware.nl [212.61.27.67]) by freebee.digiware.nl (Postfix) with ESMTP id 86D7D2AAA0; Fri, 15 Sep 2006 13:52:00 +0200 (CEST) Message-ID: <450A9421.6010400@withagen.nl> Date: Fri, 15 Sep 2006 13:53:05 +0200 From: Willem Jan Withagen User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Julian Elischer References: <4509592A.3040602@digiware.nl> <20060914134611.GW76403@catpipe.net> <20060914150902.GA17230@pit.databus.com> <45097364.1090905@withagen.nl> <4509C4BC.3090000@elischer.org> In-Reply-To: <4509C4BC.3090000@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barney Wolff , freebsd-net@freebsd.org, Willem Jan Withagen Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 11:52:05 -0000 Julian Elischer wrote: >> Forgot to mention: 4.7-PRERELEASE :( > > > ugh... no tables > and 45000 lines will be bad. > > load an old PC with 6.2 > and seet it up as a bridge with 2 interfaces. > and use ipfw table to filter on the bridge > If I could have easy access to the box, that would be the sollution. But the box is in Amsterdam in a Colo, and currently the rack is fully loaded. And we're not allowed to leave stuff standing outside the rack. For now the storm generated by the virus has calmed, because the DNS address used was one that was easily changed without penalties of sites getting unavialable. So setting that to 127.0.0.1 solved quite a lot. It still took a few hours to actually pickup every where. Over that time I collected over 50.000 IP's which all ended up in IPFW. :) The box (PIII, 750 Mhz, 512Mb) started using a lot of system and interrupt time, but it survived it all. Only to find out that it got whacked this morning again but now in some phpbb's, where they uploaded something like 45.000 viagra/spam messages. :( But fortunately this convinced the customer that he really should upgrade both hardware and software. Something I've been asking for as long as I've set eyes on this server. Probably the hours now spent in repairing etc. could have better be invested in a new server. --WjW