Any plans or desire for "bulk addition" to tables?

David Wolfskill david at catwhisker.org
Mon Oct 27 16:56:08 UTC 2008 

On my systems that are directly connected to network not known to be
relatively "safe," I use ipfw a fair bit.

Of late, I've taken to augmenting the usual rules that are sensitive to
specific ports and the like with (early) rules that check certain ipfw
tables; they are used in the following way:

* Traffic where an endpoint is found in table 1 is blocked.  Period.

* Traffic where the source address is in table 2 is not permitted to
  initiate a 22/tcp connection.

* Traffic where the source address is in table 3 is not permitted to
  initiate a 80/tcp or a 443/tcp connection.

Reasons for the above are somewhat off-topic for the list; I'll merely
comment that they have to do with perceived failure to respond to
observed attempts at abuse: I will protect my networks.

In any case, I've cobbled up a moderately complex mechanism for
maintaining the tables in question, and table 1 (in particular) has
grown to be rather large:

d254(8.0-C)[1] sudo ipfw table 1 list | wc -l
Password:
   11230
d254(8.0-C)[2] ^1^2
sudo ipfw table 2 list | wc -l
    1743
d254(8.0-C)[3] ^2^3
sudo ipfw table 3 list | wc -l
      50
d254(8.0-C)[4] 

Unfortunately, the only way I've found to populate a given table is to
issue

	ipfw table ${table} add ${netblock}

for each "netblock" in the table (assuming that I don't care about the
optional "value" parameter -- which I haven't found a use for).

Issuing something on the order of 13K "ipfw table ... add" commands
during the single- to multu-user transition tends to slow down the
effective boot time a bit -- especially when I'm booting up CURRENT on
my laptop (with WITNESS & INVARIANTS specified).

Would some way to teach ipfw(8) how to perform some sort of "bulk add"
of a bunch of table entries in a single command invocation be of
interest to anyone else?

Please include my address on responses, as I'm not subscribed to -ipfw at .
(I've tweaked Reply-To to provide an MUA hint.)

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20081027/4041e6ac/attachment.pgp

More information about the freebsd-ipfw mailing list