From owner-freebsd-questions@FreeBSD.ORG Wed Jan 14 16:44:07 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A79F10656D9 for ; Wed, 14 Jan 2009 16:44:07 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email1.allantgroup.com (email1.emsphone.com [199.67.51.115]) by mx1.freebsd.org (Postfix) with ESMTP id DE4B08FC1A for ; Wed, 14 Jan 2009 16:44:06 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan-a.emsphone.com [199.67.51.107]) by email1.allantgroup.com (8.14.0/8.14.0) with ESMTP id n0EGi5WM062010 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 14 Jan 2009 10:44:05 -0600 (CST) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id n0EGi5AH018354 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 14 Jan 2009 10:44:05 -0600 (CST) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.3/Submit) id n0EGi3Ea018351; Wed, 14 Jan 2009 10:44:03 -0600 (CST) (envelope-from dan) Date: Wed, 14 Jan 2009 10:44:03 -0600 From: Dan Nelson To: Artem Kuchin Message-ID: <20090114164403.GH57874@dan.emsphone.com> References: <496E117D.8030306@itlegion.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <496E117D.8030306@itlegion.ru> X-OS: FreeBSD 7.1-STABLE User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: ClamAV version 0.94.1, clamav-milter version 0.94.1 on email1.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email1.allantgroup.com [199.67.51.78]); Wed, 14 Jan 2009 10:44:06 -0600 (CST) X-Scanned-By: MIMEDefang 2.45 Cc: "freebsd-questions@freebsd.org" Subject: Re: Blocking very many (tens of thousands) ip addresses in ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 16:44:08 -0000 In the last episode (Jan 14), Artem Kuchin said: > I need to block around 150000 ip addreses from acccess the server at > all at any port. The addesses are random, they are not nets. These > are the spammer i want to block for 24 hours. The list is dynamically > generated and regenerated every hour or so. What is the most > efficient way to do it? At first i thought doing ipfw rules using 5 > ips per rule, that would result in 30000 rules! This will be too > slow! I need to something really quick and smart. Like matching the > first number from ip (195 from 192.1.2.3), if it does not match - > skip, if it does - compare the next one and so on. Take a look at the ipfw manpage, the LOOKUP TABLES section. You can add/remove entries on the fly if you need to, and for an efficient full replacement, create a file with contents like: table 1 flush table 1 add 1.2.3.4 table 1 add 2.3.4.5 etc, then load it with "ipfw -f file.txt". -- Dan Nelson dnelson@allantgroup.com