Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2009 18:01:45 +0100
From:      Pieter de Goeje <pieter@degoeje.nl>
To:        freebsd-questions@freebsd.org
Cc:        Artem Kuchin <matrix@itlegion.ru>
Subject:   Re: Blocking very many (tens of thousands) ip addresses in ipfw
Message-ID:  <200901141801.45996.pieter@degoeje.nl>
In-Reply-To: <496E117D.8030306@itlegion.ru>
References:  <496E117D.8030306@itlegion.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote:
> I need to block around 150000 ip addreses from acccess the server at all
> at any port.  The addesses are random, they are not nets.
> These are the spammer i want to block for 24 hours.
> The list is dynamically generated and regenerated every hour or so.
> What is the most efficient way to do it?
> At first i thought doing ipfw rules using 5 ips per rule, that would
> result in 30000 rules! This will be too slow!
> I need to something really quick and smart. Like matching the first
> number from ip (195 from 192.1.2.3),
> if it does not match - skip, if it does - compare the next one
> and so on.

Quoting ipfw(8):
LOOKUP TABLES
     Lookup tables are useful to handle large sparse address sets, typically
     from a hundred to several thousands of entries.  There may be up to 128
     different lookup tables, numbered 0 to 127.

net.inet.ip.fw.dyn_buckets should probably also be increased to efficiently 
handle 150k IPs.

-- 
Pieter de Goeje




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200901141801.45996.pieter>