Date: Sun, 26 Aug 2007 01:14:35 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Aminuddin <amin.scg@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? Message-ID: <20070826061435.GD25055@dan.emsphone.com> In-Reply-To: <46d10500.1ebc720a.304c.1e2f@mx.google.com> References: <20070826013636.GC25055@dan.emsphone.com> <46d10500.1ebc720a.304c.1e2f@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson [mailto:dnelson@allantgroup.com] > > In the last episode (Aug 26), Aminuddin said: > > > From: Dan Nelson > > > > In the last episode (Aug 26), Aminuddin said: > > > > > How do you block this large range of ip addresses from > > > > > different subnet? IPFW only allows 65536 rules while this > > > > > will probably use up a few hundred thousands of lines. > > > > > > > > > > I'm also trying to add this into my proxy configuration file, > > > > > ss5.conf but it doesn't allow me to add this large number. > > > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work > > > > > around this? > > > > > > > > Even though there are 65536 rule numbers, each number can > > > > actually have any amount of rules assigned to it. What you're > > > > probably looking for, though, is ipfw's table keyword, which > > > > uses the same radix tree lookup format as the kernel's routing > > > > tables, so it scales well to large amounts of sparse addresses. > > > > man ipfw, search for "lookup tables". > > > > > > I intend to create a ruleset file consisting of this statement: > > > > > > Ruleset------------------------ > > > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > > [...] > > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > > > add 2301 deny ip from 3.0.0.0/8 to any > > > add 2401 reject ip from any to 3.0.0.0/8 > > > add 2302 deny ip from 4.0.25.146/31 to any > > > add 2402 reject ip from any to 4.0.25.146/31 > > [...] > > > add 2302 deny ip from 4.18.37.16/28 to any > > > add 2402 reject ip from any to 4.18.37.16/28 > > > add 2302 deny ip from 4.18.37.128/25 to any > > > add 2402 reject ip from any to 4.18.37.128/25 > > > ------------------------------------end ruleset > > > > > > Will the above rules block me from ssh into my remote server if > > > the ip addresses of my local pc (dynamic ip) not within any of > > > the above rules ip range as well as block my snmpd services? > > > > Yes; it's a little convoluted but should work. You want to drop > > incoming packets from the listed IP ranges, and return a "host > > unreachable" to internal machines sending outgoing packets to the > > listed IP ranges? Wouldn't it be easier to use ipfw's table > > feature and have something like this: > > > > add table 1 3.0.0.0/8 > > add table 1 4.0.25.146/31 > > add table 1 4.0.25.148/32 > > [...] > > add table 1 4.18.37.16/28 > > add table 1 4.18.37.128/25 > > add 2300 deny ip from table 1 to any > > add 2400 reject ip from any to table 1 > > > > That way you only have two ipfw rules, both of which use a single > > table lookup. > > My complete list has about 300K of lines. It takes about a few hours > just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: (root@dan) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 (root@dan) /tmp># wc -l splist1.table 191637 splist1.table (root@dan) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 (root@dan) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070826061435.GD25055>