Date: Mon, 27 Oct 2008 10:12:47 -0700 From: Julian Elischer <julian@elischer.org> To: ipfw@freebsd.org, David Wolfskill <david@catwhisker.org> Subject: Re: Any plans or desire for "bulk addition" to tables? Message-ID: <4905F68F.2030403@elischer.org> In-Reply-To: <20081027164452.GC69155@bunrab.catwhisker.org> References: <20081027164452.GC69155@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Wolfskill wrote:
> On my systems that are directly connected to network not known to be
> relatively "safe," I use ipfw a fair bit.
>
> Of late, I've taken to augmenting the usual rules that are sensitive to
> specific ports and the like with (early) rules that check certain ipfw
> tables; they are used in the following way:
>
> * Traffic where an endpoint is found in table 1 is blocked. Period.
>
> * Traffic where the source address is in table 2 is not permitted to
> initiate a 22/tcp connection.
>
> * Traffic where the source address is in table 3 is not permitted to
> initiate a 80/tcp or a 443/tcp connection.
>
> Reasons for the above are somewhat off-topic for the list; I'll merely
> comment that they have to do with perceived failure to respond to
> observed attempts at abuse: I will protect my networks.
>
> In any case, I've cobbled up a moderately complex mechanism for
> maintaining the tables in question, and table 1 (in particular) has
> grown to be rather large:
>
> d254(8.0-C)[1] sudo ipfw table 1 list | wc -l
> Password:
> 11230
> d254(8.0-C)[2] ^1^2
> sudo ipfw table 2 list | wc -l
> 1743
> d254(8.0-C)[3] ^2^3
> sudo ipfw table 3 list | wc -l
> 50
> d254(8.0-C)[4]
>
> Unfortunately, the only way I've found to populate a given table is to
> issue
>
> ipfw table ${table} add ${netblock}
you can read in a file of entries
i.e.
ipfw -q filename
where each line is of the form
table N add IP VAL
this increases the speed many times as you are not starting
ipfw(1) for each entry.
>
> for each "netblock" in the table (assuming that I don't care about the
> optional "value" parameter -- which I haven't found a use for).
oh I have lots of use for that...
>
> Issuing something on the order of 13K "ipfw table ... add" commands
> during the single- to multu-user transition tends to slow down the
> effective boot time a bit -- especially when I'm booting up CURRENT on
> my laptop (with WITNESS & INVARIANTS specified).
I add many thousands using hte method described above and it trakse a
second or so
you can alternatively do:
myscript|ipfw -q /dev/stdin
where
'myscript' generates the values.
>
> Would some way to teach ipfw(8) how to perform some sort of "bulk add"
> of a bunch of table entries in a single command invocation be of
> interest to anyone else?
>
> Please include my address on responses, as I'm not subscribed to -ipfw@.
> (I've tweaked Reply-To to provide an MUA hint.)
>
> Peace,
> david
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4905F68F.2030403>