Deny large number of IPs via ipfw (fwd)

John L johnl at
Sun Jun 11 16:01:04 UTC 2006

>Using such an list of ip address from a major rbl is flawed at the
>core of the idea.  Over 85% of those 3 million ip address are spoofed
>in the first place.  Most are what would be called false positives.

Actually there are almost no false positives in the CBL.  The three
million addresses on the CBL really are all IP addresses that have
recently sent spam.  (I know the people who run it and I know how they
get the addresses.)

But I agree that it is a poor idea to try to use it in your router, if
for no other reason than that the CBL is updated every few minutes,
and by the time you stuffed it into your ip tables, it'd be out of date.

The CBL works great for mail servers to refuse mail that has a 99.9+%
chance of being spam.  Use it that way.

If you want to use it to block access to your ssh server, run it from 
inetd and put a shim in between to check the CBL.  Unless you get a dozen 
legit SSH logins a minute, that's vastly faster than trying to rsync a 
rapidly changing three million record file.


More information about the freebsd-questions mailing list