securing SSH, FBSD systems

Alex Zbyslaw xfb52 at dial.pipex.com
Tue May 24 02:11:42 PDT 2005


Francisco Reyes wrote:

> I found it got too messy to read firewall rules when I had blackholing 
> there too. Also the feedback I got was that firewall rule was a flat 
> list, while the route system used some type of tree.

This is true if you use one rule per blocked address, but not true, I 
believe if you use ipfw (version 2) tables (see man ipfw).  I believe pf 
also has a similar feature.  Large lists of IP addresses is what they 
were designed for :-)

 From man ipfw

LOOKUP TABLES
     Lookup tables are useful to handle large sparse address sets, typically
     from a hundred to several thousands of entries.  There could be 128 
dif-
     ferent lookup tables, numbered 0 to 127.


--Alex



More information about the freebsd-questions mailing list