ipfw rules vs routes to localhost?
Julian Elischer
julian at elischer.org
Wed May 28 15:12:27 PDT 2003
On Wed, 28 May 2003, Barney Wolff wrote:
> On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote:
> > First off, blocking it in ipfw rules is obviously more efficient if
> > you are running ipfw(8) already.
>
> Can ipfw really handle "tens of thousands" of rules efficiently?
> I'd hate to implement a trie with ipfw skipto rules, but that's the
> only way ipfw could block that many individual IPs efficiently.
I once wrote a script to generate a skipto tree.
Any packet hit at most 33 rules..
:-)
problem was running out of ipfw line numbers.. :-)
>
> But there's a more fundamental problem: The two choices above do
> different things. The ipfw rule drops inbound packets, while the
> route drops outbound packets. If the threat is connections from outside,
> the route solution converts each of these into a DoS attempt. If the
> threat is internal users connecting to banned sites, the ipfw rule
> should be written as "from any to a.b.c.d." In the latter case the
> route solution looks good.
>
> If I had to do this inbound, I'd look at netgraph as a way to put
> custom code in the kernel that looks up the source IP addr in a
> hash table.
I've done that too :-)
>
> But the hard part will be updating the table of banned IPs and informing
> the kernel. How often must the table change?
More information about the freebsd-net
mailing list