From owner-freebsd-questions@FreeBSD.ORG Sun Aug 26 04:43:49 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29B6616A417 for ; Sun, 26 Aug 2007 04:43:48 +0000 (UTC) (envelope-from amin.scg@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 0757713C458 for ; Sun, 26 Aug 2007 04:43:47 +0000 (UTC) (envelope-from amin.scg@gmail.com) Received: by wa-out-1112.google.com with SMTP id m33so1478393wag for ; Sat, 25 Aug 2007 21:43:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:reply-to:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:x-mimeole:in-reply-to:thread-index:message-id; b=CzfBSC7oUZuSJJegW3YGj6513N47yskfajnZOwjJkPquuscuwHj2WIowF8/nQ9PBKDo2DFsBVTevBAAxT6U+50AvpJFPmIo4JVkTCrHdk3Y/+axXQYZNaQCtal3Ny50w/JuAgElAHK6wIdDjV5dlcTvghDl3RmSpv1e5/wI06Kc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:reply-to:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:x-mimeole:in-reply-to:thread-index:message-id; b=MQw7T5jusJKDYssYNmvai40Q6sao6tUOsEZwpdeW+lCjiHojUssktz5QPBl7OKts6ASyiha4e7OD/jacSMF1iibO0lauQCtEs5Cb3bANQsLMcXWTLF6YUgNxxas6mk9lhEIWj1zgCTxxWTufrc0OZpliQdq+TkpvRh/J+uCASco= Received: by 10.114.106.1 with SMTP id e1mr1338020wac.1188103427381; Sat, 25 Aug 2007 21:43:47 -0700 (PDT) Received: from dtraaa ( [203.121.47.4]) by mx.google.com with ESMTPS id l30sm5166039waf.2007.08.25.21.43.42 (version=SSLv3 cipher=RC4-MD5); Sat, 25 Aug 2007 21:43:44 -0700 (PDT) From: "Aminuddin" To: "'Dan Nelson'" Date: Sun, 26 Aug 2007 12:43:38 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 In-Reply-To: <20070826013636.GC25055@dan.emsphone.com> Thread-Index: AcfngY+jrgPCe6dDSrG1s5ME9RBwdQAGeyQw Message-ID: <46d10500.1ebc720a.304c.1e2f@mx.google.com> Cc: freebsd-questions@freebsd.org Subject: RE: How to block 200K ip addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: amin.scg@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Aug 2007 04:43:49 -0000 My complete list has about 300K of lines. It takes about a few hours just to load the rules. Will it be faster to load using the table? -----Original Message----- From: Dan Nelson [mailto:dnelson@allantgroup.com] Sent: Sunday, August 26, 2007 9:37 AM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson > > In the last episode (Aug 26), Aminuddin said: > > > How do you block this large range of ip addresses from different > > > subnet? IPFW only allows 65536 rules while this will probably use > > > up a few hundred thousands of lines. > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf but > > > it doesn't allow me to add this large number. > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > Even though there are 65536 rule numbers, each number can actually have > > any amount of rules assigned to it. What you're probably looking for, > > though, is ipfw's table keyword, which uses the same radix tree lookup > > format as the kernel's routing tables, so it scales well to large > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > I intend to create a ruleset file consisting of this statement: > > Ruleset------------------------ > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > add 2400 skipto 2402 ip from any to 4.0.0.0/6 [...] > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > add 2301 deny ip from 3.0.0.0/8 to any > add 2401 reject ip from any to 3.0.0.0/8 > add 2302 deny ip from 4.0.25.146/31 to any > add 2402 reject ip from any to 4.0.25.146/31 [...] > add 2302 deny ip from 4.18.37.16/28 to any > add 2402 reject ip from any to 4.18.37.16/28 > add 2302 deny ip from 4.18.37.128/25 to any > add 2402 reject ip from any to 4.18.37.128/25 > ------------------------------------end ruleset > > Will the above rules block me from ssh into my remote server if the > ip addresses of my local pc (dynamic ip) not within any of the above > rules ip range as well as block my snmpd services? Yes; it's a little convoluted but should work. You want to drop incoming packets from the listed IP ranges, and return a "host unreachable" to internal machines sending outgoing packets to the listed IP ranges? Wouldn't it be easier to use ipfw's table feature and have something like this: add table 1 3.0.0.0/8 add table 1 4.0.25.146/31 add table 1 4.0.25.148/32 [...] add table 1 4.18.37.16/28 add table 1 4.18.37.128/25 add 2300 deny ip from table 1 to any add 2400 reject ip from any to table 1 That way you only have two ipfw rules, both of which use a single table lookup. -- Dan Nelson dnelson@allantgroup.com