From owner-freebsd-questions@FreeBSD.ORG Sun Aug 26 06:06:03 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6601216A41A for ; Sun, 26 Aug 2007 06:06:03 +0000 (UTC) (envelope-from redchin@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.233]) by mx1.freebsd.org (Postfix) with ESMTP id F0B8813C468 for ; Sun, 26 Aug 2007 06:06:02 +0000 (UTC) (envelope-from redchin@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so768613nzf for ; Sat, 25 Aug 2007 23:05:59 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FsFI9kVl7DGvz2WBEXAetC4FxLFM1QAhbh1aMFx6IojNkn2PDNEJWal6vRB7DitgNNAwHft4r6dzA7Wm3cQgDejLq6q79fHFlLseKCxdQm9z77pqKmsVW+M5GAPUu2U7QZFeeI3BH1opTZ8nPcNS5svs8bY0u25gP1SZMDcX/kY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bG6QLVhB8Jkp5FcXAGtNnmawXc65fbBHpQVJsdFlaRY2h1e+9GtSHqZHIOQtayIo0dHM/4GTWHfwC4oow+19p4oAwrB3qJx+HSUE+ElLsrkCU2X8WAH/EgQSGd+M+fTTvgwNkZ7O9zhl29F++OAMCUaEGe8cXzgjm7rapP4r/HQ= Received: by 10.143.165.13 with SMTP id s13mr272867wfo.1188106692133; Sat, 25 Aug 2007 22:38:12 -0700 (PDT) Received: by 10.142.215.6 with HTTP; Sat, 25 Aug 2007 22:38:12 -0700 (PDT) Message-ID: <1d3ed48c0708252238u1f1adfdfpa69af42b5796c36b@mail.gmail.com> Date: Sat, 25 Aug 2007 22:38:12 -0700 From: "Kevin Downey" To: amin.scg@gmail.com In-Reply-To: <46d10500.1ebc720a.304c.1e2f@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070826013636.GC25055@dan.emsphone.com> <46d10500.1ebc720a.304c.1e2f@mx.google.com> Cc: Dan Nelson , freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Aug 2007 06:06:03 -0000 On 8/25/07, Aminuddin wrote: > My complete list has about 300K of lines. > It takes about a few hours just to load the rules. > Will it be faster to load using the table? > > > -----Original Message----- > From: Dan Nelson [mailto:dnelson@allantgroup.com] > Sent: Sunday, August 26, 2007 9:37 AM > To: Aminuddin > Cc: freebsd-questions@freebsd.org > Subject: Re: How to block 200K ip addresses? > > In the last episode (Aug 26), Aminuddin said: > > From: Dan Nelson > > > In the last episode (Aug 26), Aminuddin said: > > > > How do you block this large range of ip addresses from different > > > > subnet? IPFW only allows 65536 rules while this will probably use > > > > up a few hundred thousands of lines. > > > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf > but > > > > it doesn't allow me to add this large number. > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > > > Even though there are 65536 rule numbers, each number can actually have > > > any amount of rules assigned to it. What you're probably looking for, > > > though, is ipfw's table keyword, which uses the same radix tree lookup > > > format as the kernel's routing tables, so it scales well to large > > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > > > I intend to create a ruleset file consisting of this statement: > > > > Ruleset------------------------ > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > [...] > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > add 2301 deny ip from 3.0.0.0/8 to any > > add 2401 reject ip from any to 3.0.0.0/8 > > add 2302 deny ip from 4.0.25.146/31 to any > > add 2402 reject ip from any to 4.0.25.146/31 > [...] > > add 2302 deny ip from 4.18.37.16/28 to any > > add 2402 reject ip from any to 4.18.37.16/28 > > add 2302 deny ip from 4.18.37.128/25 to any > > add 2402 reject ip from any to 4.18.37.128/25 > > ------------------------------------end ruleset > > > > Will the above rules block me from ssh into my remote server if the > > ip addresses of my local pc (dynamic ip) not within any of the above > > rules ip range as well as block my snmpd services? > > Yes; it's a little convoluted but should work. You want to drop > incoming packets from the listed IP ranges, and return a "host > unreachable" to internal machines sending outgoing packets to the > listed IP ranges? Wouldn't it be easier to use ipfw's table feature > and have something like this: > > add table 1 3.0.0.0/8 > add table 1 4.0.25.146/31 > add table 1 4.0.25.148/32 > [...] > add table 1 4.18.37.16/28 > add table 1 4.18.37.128/25 > add 2300 deny ip from table 1 to any > add 2400 reject ip from any to table 1 > > That way you only have two ipfw rules, both of which use a single table > lookup. > > -- > Dan Nelson > dnelson@allantgroup.com > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > I would use the pf firewall, it has an option to file tables from a file like: table persist file "/root/evil.txt" kpd@zifnab /root% wc -l evil.txt 178438 evil.txt so its not 300k lines but it takes seconds to load. -- I am the kwisatz haderach