From owner-freebsd-ipfw@FreeBSD.ORG  Wed Sep 13 04:23:34 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: ipfw@freebsd.org
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 56ED116A403
	for <ipfw@freebsd.org>; Wed, 13 Sep 2006 04:23:34 +0000 (UTC)
	(envelope-from bu7cher@yandex.ru)
Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4C86143D49
	for <ipfw@freebsd.org>; Wed, 13 Sep 2006 04:23:33 +0000 (GMT)
	(envelope-from bu7cher@yandex.ru)
Received: from ns.kirov.so-cdu.ru ([81.18.142.225]:50701 "EHLO [127.0.0.1]"
	smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256
	version TLSv1/SSLv3" TLS-PEER-CN1: <none>) by mail.yandex.ru
	with ESMTP id S2079306AbWIMEX2 (ORCPT <rfc822;ipfw@freebsd.org>);
	Wed, 13 Sep 2006 08:23:28 +0400
X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as:
	bu7cher
Message-ID: <450787BD.6050704@yandex.ru>
Date: Wed, 13 Sep 2006 08:23:25 +0400
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231)
MIME-Version: 1.0
To: "Jin Guojun [VFFS]" <j_guojun@lbl.gov>
References: <4507539A.5000502@lbl.gov>
In-Reply-To: <4507539A.5000502@lbl.gov>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Cc: ipfw@freebsd.org
Subject: Re: maximum deny entries?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2006 04:23:34 -0000

Jin Guojun [VFFS] wrote:
> I am not sure if this is a bug or is there some limitation for total 
> deny entry,
> when the deny list exceeds a certain length (36 lines at this case),
> ipfw stop working (see the *** line below).
> # ipfw list
> ...all non deny entries are removed
> 00361 deny ip from 202.124.17.215 to any
...
> 00364 deny ip from 71.135.96.85 to any
> 00364 deny ip from 71.135.41.68 to any
> 00364 deny ip from 71.135.35.252 to any
> 00364 deny ip from 71.135.178.215 to any

First, try an ipfw logging rules for each rule
and at the end of rules.
Second, you can use ipfw tables and replace
all your rules with one.

-- 
WBR, Andrey V. Elsukov