Any plans or desire for "bulk addition" to tables?
David Wolfskill
david at catwhisker.org
Mon Oct 27 16:56:08 UTC 2008
On my systems that are directly connected to network not known to be
relatively "safe," I use ipfw a fair bit.
Of late, I've taken to augmenting the usual rules that are sensitive to
specific ports and the like with (early) rules that check certain ipfw
tables; they are used in the following way:
* Traffic where an endpoint is found in table 1 is blocked. Period.
* Traffic where the source address is in table 2 is not permitted to
initiate a 22/tcp connection.
* Traffic where the source address is in table 3 is not permitted to
initiate a 80/tcp or a 443/tcp connection.
Reasons for the above are somewhat off-topic for the list; I'll merely
comment that they have to do with perceived failure to respond to
observed attempts at abuse: I will protect my networks.
In any case, I've cobbled up a moderately complex mechanism for
maintaining the tables in question, and table 1 (in particular) has
grown to be rather large:
d254(8.0-C)[1] sudo ipfw table 1 list | wc -l
Password:
11230
d254(8.0-C)[2] ^1^2
sudo ipfw table 2 list | wc -l
1743
d254(8.0-C)[3] ^2^3
sudo ipfw table 3 list | wc -l
50
d254(8.0-C)[4]
Unfortunately, the only way I've found to populate a given table is to
issue
ipfw table ${table} add ${netblock}
for each "netblock" in the table (assuming that I don't care about the
optional "value" parameter -- which I haven't found a use for).
Issuing something on the order of 13K "ipfw table ... add" commands
during the single- to multu-user transition tends to slow down the
effective boot time a bit -- especially when I'm booting up CURRENT on
my laptop (with WITNESS & INVARIANTS specified).
Would some way to teach ipfw(8) how to perform some sort of "bulk add"
of a bunch of table entries in a single command invocation be of
interest to anyone else?
Please include my address on responses, as I'm not subscribed to -ipfw at .
(I've tweaked Reply-To to provide an MUA hint.)
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20081027/4041e6ac/attachment.pgp
More information about the freebsd-ipfw
mailing list