securing SSH, FBSD systems
Alex Zbyslaw
xfb52 at dial.pipex.com
Tue May 24 02:11:42 PDT 2005
Francisco Reyes wrote:
> I found it got too messy to read firewall rules when I had blackholing
> there too. Also the feedback I got was that firewall rule was a flat
> list, while the route system used some type of tree.
This is true if you use one rule per blocked address, but not true, I
believe if you use ipfw (version 2) tables (see man ipfw). I believe pf
also has a similar feature. Large lists of IP addresses is what they
were designed for :-)
From man ipfw
LOOKUP TABLES
Lookup tables are useful to handle large sparse address sets, typically
from a hundred to several thousands of entries. There could be 128
dif-
ferent lookup tables, numbered 0 to 127.
--Alex
More information about the freebsd-questions
mailing list