Date: Mon, 27 Aug 2007 07:37:40 -0400 From: Andy Greenwood <greenwood.andy@gmail.com> To: amin.scg@gmail.com Cc: 'Dan Nelson' <dnelson@allantgroup.com>, freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? Message-ID: <46D2B784.1050306@gmail.com> In-Reply-To: <46d27138.07ec720a.0343.ffffbba7@mx.google.com> References: <46d27138.07ec720a.0343.ffffbba7@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Aminuddin wrote: > Will give this a try. Since my server is a remote server that I can accessed > only by ssh, what are other rules do I need to add in? I don't want to have > a situation where I will lock myself out. > > Is it correct to say that the rules that I put in will only block those in > the rules and allow all that are not in the rules? > > Thanks > > -----Original Message----- > From: Dan Nelson [mailto:dnelson@allantgroup.com] > Sent: Sunday, August 26, 2007 2:15 PM > > > To: Aminuddin > Cc: freebsd-questions@freebsd.org > Subject: Re: How to block 200K ip addresses? > > In the last episode (Aug 26), Aminuddin said: > >> From: Dan Nelson [mailto:dnelson@allantgroup.com] >> >>> In the last episode (Aug 26), Aminuddin said: >>> >>>> From: Dan Nelson >>>> >>>>> In the last episode (Aug 26), Aminuddin said: >>>>> >>>>>> How do you block this large range of ip addresses from >>>>>> different subnet? IPFW only allows 65536 rules while this >>>>>> will probably use up a few hundred thousands of lines. >>>>>> >>>>>> I'm also trying to add this into my proxy configuration file, >>>>>> ss5.conf but it doesn't allow me to add this large number. >>>>>> >>>>>> IS this the limitation of IPF or FreeBSD? How do I work >>>>>> around this? >>>>>> >>>>> Even though there are 65536 rule numbers, each number can >>>>> actually have any amount of rules assigned to it. What you're >>>>> probably looking for, though, is ipfw's table keyword, which >>>>> uses the same radix tree lookup format as the kernel's routing >>>>> tables, so it scales well to large amounts of sparse addresses. >>>>> man ipfw, search for "lookup tables". >>>>> >>>> I intend to create a ruleset file consisting of this statement: >>>> >>>> Ruleset------------------------ >>>> >>>> add 2300 skipto 2301 ip from 0.0.0.0/6 to any >>>> add 2400 skipto 2401 ip from any to 0.0.0.0/6 >>>> add 2300 skipto 2302 ip from 4.0.0.0/6 to any >>>> add 2400 skipto 2402 ip from any to 4.0.0.0/6 >>>> >>> [...] >>> >>>> add 2300 skipto 2363 ip from 248.0.0.0/6 to any >>>> add 2400 skipto 2463 ip from any to 248.0.0.0/6 >>>> add 2300 skipto 2364 ip from 252.0.0.0/6 to any >>>> add 2400 skipto 2464 ip from any to 252.0.0.0/6 >>>> >>>> add 2301 deny ip from 3.0.0.0/8 to any >>>> add 2401 reject ip from any to 3.0.0.0/8 >>>> add 2302 deny ip from 4.0.25.146/31 to any >>>> add 2402 reject ip from any to 4.0.25.146/31 >>>> >>> [...] >>> >>>> add 2302 deny ip from 4.18.37.16/28 to any >>>> add 2402 reject ip from any to 4.18.37.16/28 >>>> add 2302 deny ip from 4.18.37.128/25 to any >>>> add 2402 reject ip from any to 4.18.37.128/25 >>>> ------------------------------------end ruleset >>>> >>>> Will the above rules block me from ssh into my remote server if >>>> the ip addresses of my local pc (dynamic ip) not within any of >>>> the above rules ip range as well as block my snmpd services? >>>> >>> Yes; it's a little convoluted but should work. You want to drop >>> incoming packets from the listed IP ranges, and return a "host >>> unreachable" to internal machines sending outgoing packets to the >>> listed IP ranges? Wouldn't it be easier to use ipfw's table >>> feature and have something like this: >>> >>> add table 1 3.0.0.0/8 >>> add table 1 4.0.25.146/31 >>> add table 1 4.0.25.148/32 >>> [...] >>> add table 1 4.18.37.16/28 >>> add table 1 4.18.37.128/25 >>> add 2300 deny ip from table 1 to any >>> add 2400 reject ip from any to table 1 >>> >>> That way you only have two ipfw rules, both of which use a single >>> table lookup. >>> >> My complete list has about 300K of lines. It takes about a few hours >> just to load the rules. Will it be faster to load using the table? >> > > I did a quick test myself by fetching the safepeer ip list and adding > it via rules and tables. This was a quick hack, so I'm just adding the > first IP in each line, not the whole netblock (I didn't want to write a > range->netmask converter). On my heavily-loaded box (currently doing a > buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw > "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: > > (root@dan) /tmp># head -3 splist1.table > table 1 add 0.0.0.0 > table 1 add 4.0.25.146 > table 1 add 4.0.26.14 > (root@dan) /tmp># wc -l splist1.table > 191637 splist1.table > (root@dan) /tmp># time ipfw /tmp/splist1.table > ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 > Swaps:0 > (root@dan) /tmp># ipfw table 1 list | wc -l > 191637 > > Under 7 seconds to load all 191k entries :) > > Please don't top-post. My understanding is that anything not blocked by these rules will be allowed, unless it is blocked somewhere else in your firewall config. An easy way to make sure you don't lock yourself out (at least permanently) is to write up a shell script that will revert your rules to your current ruleset and enter it as a cron job set to be run every 5 minutes or so. That way, even if you do lock yourself out, it'll only be a few minutes. If it works and you're not locked out, remove the cron job.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D2B784.1050306>