From owner-freebsd-questions@FreeBSD.ORG Thu Jan 15 06:53:15 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E201810656C4 for ; Thu, 15 Jan 2009 06:53:15 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id 95E0A8FC19 for ; Thu, 15 Jan 2009 06:53:15 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.2/8.14.2) with ESMTP id n0F6rFDO030531 for ; Wed, 14 Jan 2009 22:53:15 -0800 (PST) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.2/8.14.2) with ESMTP id n0F6rEDu088678 for ; Wed, 14 Jan 2009 22:53:14 -0800 (PST) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.2/8.14.2/Submit) id n0F6rEfp088677 for freebsd-questions@freebsd.org; Wed, 14 Jan 2009 22:53:14 -0800 (PST) (envelope-from freebsd@optimis.net) Date: Wed, 14 Jan 2009 22:53:14 -0800 From: George Davidovich To: freebsd-questions@freebsd.org Message-ID: <20090115065314.GA88384@marvin.optimis.net> References: <496E117D.8030306@itlegion.ru> <200901141801.45996.pieter@degoeje.nl> <496E1D22.9070106@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: Blocking very many (tens of thousands) ip addresses in ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 06:53:16 -0000 On Wed, Jan 14, 2009 at 08:30:53PM -0800, mojo fms wrote: > On Wed, Jan 14, 2009 at 9:13 AM, Steve Bertrand > wrote: > > Pieter de Goeje wrote: > > > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: > > > > I need to block around 150000 ip addreses from acccess the server > > > > at all at any port. The addesses are random, they are not nets. > > > > These are the spammer i want to block for 24 hours. The list is > > > > dynamically generated and regenerated every hour or so. What is > > > > the most efficient way to do it? At first i thought doing ipfw > > > > rules using 5 ips per rule, that would result in 30000 rules! This > > > > will be too slow! I need to something really quick and smart. > > > > Like matching the first number from ip (195 from 192.1.2.3), if it > > > > does not match - skip, if it does - compare the next one and so > > > > on. > > > > > > Quoting ipfw(8): > > > LOOKUP TABLES > > > Lookup tables are useful to handle large sparse address sets, > > > typically from a hundred to several thousands of entries. > > > There may be up to 128 different lookup tables, numbered 0 to > > > 127. > > > > > > net.inet.ip.fw.dyn_buckets should probably also be increased to > > > efficiently handle 150k IPs. > > > > Please correct me if I'm wrong, but if the OP is going to drop all > > traffic immediately from the 150k IPs, then dyn_buckets shouldn't come > > into play, as there is no dynamic rule generated. > > Is this kind of thing doable with PF or really a ipfw thing more? # pfctl -sm states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 -- George