From owner-freebsd-questions@FreeBSD.ORG Sun Aug 26 06:14:37 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6807516A419 for ; Sun, 26 Aug 2007 06:14:37 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id 39FAA13C458 for ; Sun, 26 Aug 2007 06:14:37 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.1/8.14.1) id l7Q6EafK080816; Sun, 26 Aug 2007 01:14:36 -0500 (CDT) (envelope-from dan) Date: Sun, 26 Aug 2007 01:14:35 -0500 From: Dan Nelson To: Aminuddin Message-ID: <20070826061435.GD25055@dan.emsphone.com> References: <20070826013636.GC25055@dan.emsphone.com> <46d10500.1ebc720a.304c.1e2f@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46d10500.1ebc720a.304c.1e2f@mx.google.com> X-OS: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Aug 2007 06:14:37 -0000 In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson [mailto:dnelson@allantgroup.com] > > In the last episode (Aug 26), Aminuddin said: > > > From: Dan Nelson > > > > In the last episode (Aug 26), Aminuddin said: > > > > > How do you block this large range of ip addresses from > > > > > different subnet? IPFW only allows 65536 rules while this > > > > > will probably use up a few hundred thousands of lines. > > > > > > > > > > I'm also trying to add this into my proxy configuration file, > > > > > ss5.conf but it doesn't allow me to add this large number. > > > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work > > > > > around this? > > > > > > > > Even though there are 65536 rule numbers, each number can > > > > actually have any amount of rules assigned to it. What you're > > > > probably looking for, though, is ipfw's table keyword, which > > > > uses the same radix tree lookup format as the kernel's routing > > > > tables, so it scales well to large amounts of sparse addresses. > > > > man ipfw, search for "lookup tables". > > > > > > I intend to create a ruleset file consisting of this statement: > > > > > > Ruleset------------------------ > > > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > > [...] > > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > > > add 2301 deny ip from 3.0.0.0/8 to any > > > add 2401 reject ip from any to 3.0.0.0/8 > > > add 2302 deny ip from 4.0.25.146/31 to any > > > add 2402 reject ip from any to 4.0.25.146/31 > > [...] > > > add 2302 deny ip from 4.18.37.16/28 to any > > > add 2402 reject ip from any to 4.18.37.16/28 > > > add 2302 deny ip from 4.18.37.128/25 to any > > > add 2402 reject ip from any to 4.18.37.128/25 > > > ------------------------------------end ruleset > > > > > > Will the above rules block me from ssh into my remote server if > > > the ip addresses of my local pc (dynamic ip) not within any of > > > the above rules ip range as well as block my snmpd services? > > > > Yes; it's a little convoluted but should work. You want to drop > > incoming packets from the listed IP ranges, and return a "host > > unreachable" to internal machines sending outgoing packets to the > > listed IP ranges? Wouldn't it be easier to use ipfw's table > > feature and have something like this: > > > > add table 1 3.0.0.0/8 > > add table 1 4.0.25.146/31 > > add table 1 4.0.25.148/32 > > [...] > > add table 1 4.18.37.16/28 > > add table 1 4.18.37.128/25 > > add 2300 deny ip from table 1 to any > > add 2400 reject ip from any to table 1 > > > > That way you only have two ipfw rules, both of which use a single > > table lookup. > > My complete list has about 300K of lines. It takes about a few hours > just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: (root@dan) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 (root@dan) /tmp># wc -l splist1.table 191637 splist1.table (root@dan) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 (root@dan) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) -- Dan Nelson dnelson@allantgroup.com