Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Jan 2009 22:53:14 -0800
From:      George Davidovich <freebsd@optimis.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Blocking very many (tens of thousands) ip addresses in ipfw
Message-ID:  <20090115065314.GA88384@marvin.optimis.net>
In-Reply-To: <f151ba00901142030s6a5a5ccm9d03bd8d742920ca@mail.gmail.com>
References:  <496E117D.8030306@itlegion.ru> <200901141801.45996.pieter@degoeje.nl> <496E1D22.9070106@ibctech.ca> <f151ba00901142030s6a5a5ccm9d03bd8d742920ca@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Jan 14, 2009 at 08:30:53PM -0800, mojo fms wrote:
> On Wed, Jan 14, 2009 at 9:13 AM, Steve Bertrand <steve@ibctech.ca>
> wrote:
> > Pieter de Goeje wrote:
> > > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote:
> > > > I need to block around 150000 ip addreses from acccess the server
> > > > at all at any port.  The addesses are random, they are not nets.
> > > > These are the spammer i want to block for 24 hours.  The list is
> > > > dynamically generated and regenerated every hour or so.  What is
> > > > the most efficient way to do it?  At first i thought doing ipfw
> > > > rules using 5 ips per rule, that would result in 30000 rules! This
> > > > will be too slow!  I need to something really quick and smart.
> > > > Like matching the first number from ip (195 from 192.1.2.3), if it
> > > > does not match - skip, if it does - compare the next one and so
> > > > on.
> > > 
> > > Quoting ipfw(8):
> > > LOOKUP TABLES
> > >      Lookup tables are useful to handle large sparse address sets,
> > >      typically from a hundred to several thousands of entries.
> > >      There may be up to 128 different lookup tables, numbered 0 to
> > >      127.
> > > 
> > > net.inet.ip.fw.dyn_buckets should probably also be increased to
> > > efficiently handle 150k IPs.
> > 
> > Please correct me if I'm wrong, but if the OP is going to drop all
> > traffic immediately from the 150k IPs, then dyn_buckets shouldn't come
> > into play, as there is no dynamic rule generated.
> 
> Is this kind of thing doable with PF or really a ipfw thing more?

# pfctl -sm
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

-- 
George

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090115065314.GA88384>