How to block 200K ip addresses?
Kevin Downey
redchin at gmail.com
Sat Aug 25 23:06:03 PDT 2007
On 8/25/07, Aminuddin <amin.scg at gmail.com> wrote:
> My complete list has about 300K of lines.
> It takes about a few hours just to load the rules.
> Will it be faster to load using the table?
>
>
> -----Original Message-----
> From: Dan Nelson [mailto:dnelson at allantgroup.com]
> Sent: Sunday, August 26, 2007 9:37 AM
> To: Aminuddin
> Cc: freebsd-questions at freebsd.org
> Subject: Re: How to block 200K ip addresses?
>
> In the last episode (Aug 26), Aminuddin said:
> > From: Dan Nelson
> > > In the last episode (Aug 26), Aminuddin said:
> > > > How do you block this large range of ip addresses from different
> > > > subnet? IPFW only allows 65536 rules while this will probably use
> > > > up a few hundred thousands of lines.
> > > >
> > > > I'm also trying to add this into my proxy configuration file, ss5.conf
> but
> > > > it doesn't allow me to add this large number.
> > > >
> > > > IS this the limitation of IPF or FreeBSD? How do I work around this?
> > >
> > > Even though there are 65536 rule numbers, each number can actually have
> > > any amount of rules assigned to it. What you're probably looking for,
> > > though, is ipfw's table keyword, which uses the same radix tree lookup
> > > format as the kernel's routing tables, so it scales well to large
> > > amounts of sparse addresses. man ipfw, search for "lookup tables".
> >
> > I intend to create a ruleset file consisting of this statement:
> >
> > Ruleset------------------------
> >
> > add 2300 skipto 2301 ip from 0.0.0.0/6 to any
> > add 2400 skipto 2401 ip from any to 0.0.0.0/6
> > add 2300 skipto 2302 ip from 4.0.0.0/6 to any
> > add 2400 skipto 2402 ip from any to 4.0.0.0/6
> [...]
> > add 2300 skipto 2363 ip from 248.0.0.0/6 to any
> > add 2400 skipto 2463 ip from any to 248.0.0.0/6
> > add 2300 skipto 2364 ip from 252.0.0.0/6 to any
> > add 2400 skipto 2464 ip from any to 252.0.0.0/6
> >
> > add 2301 deny ip from 3.0.0.0/8 to any
> > add 2401 reject ip from any to 3.0.0.0/8
> > add 2302 deny ip from 4.0.25.146/31 to any
> > add 2402 reject ip from any to 4.0.25.146/31
> [...]
> > add 2302 deny ip from 4.18.37.16/28 to any
> > add 2402 reject ip from any to 4.18.37.16/28
> > add 2302 deny ip from 4.18.37.128/25 to any
> > add 2402 reject ip from any to 4.18.37.128/25
> > ------------------------------------end ruleset
> >
> > Will the above rules block me from ssh into my remote server if the
> > ip addresses of my local pc (dynamic ip) not within any of the above
> > rules ip range as well as block my snmpd services?
>
> Yes; it's a little convoluted but should work. You want to drop
> incoming packets from the listed IP ranges, and return a "host
> unreachable" to internal machines sending outgoing packets to the
> listed IP ranges? Wouldn't it be easier to use ipfw's table feature
> and have something like this:
>
> add table 1 3.0.0.0/8
> add table 1 4.0.25.146/31
> add table 1 4.0.25.148/32
> [...]
> add table 1 4.18.37.16/28
> add table 1 4.18.37.128/25
> add 2300 deny ip from table 1 to any
> add 2400 reject ip from any to table 1
>
> That way you only have two ipfw rules, both of which use a single table
> lookup.
>
> --
> Dan Nelson
> dnelson at allantgroup.com
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
I would use the pf firewall, it has an option to file tables from a file like:
table <evil> persist file "/root/evil.txt"
kpd at zifnab /root% wc -l evil.txt
178438 evil.txt
so its not 300k lines but it takes seconds to load.
--
I am the kwisatz haderach
More information about the freebsd-questions
mailing list