Optimizing ipfw?

Karl Denninger karl at denninger.net
Sat Nov 23 21:21:32 UTC 2019

On 11/23/2019 15:04, Tim Daneliuk wrote:
> On 11/23/19 11:46 AM, Michael Sierchio wrote:
>> Don't use specific rules per CIDR block, use tables.  You can efficiently
>> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
>> table, or multiple tables.  You can assign the argument based on country
>> code or some such. You can add and delete CIDR blocks, and even swap tables
>> so you can do it atomically.
> Aha!  Thanks.  So, I added this to my firewall startup code:
>   ###
>   # Block Naughty IP Addresses/Spaces
>   ###
>   # Use ipfw tables for efficiency
>   for addr in `cat ${NAUGHTYFILE}`
>   do
>     ${FWCMD} table 10 add ${addr}
>   done
>   ${FWCMD} add deny all from table\(10\) to any via ${OIF}
> ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
> I want stopped, but I have no affirmative proof this is working yet.
> It does, however, no longer clobber network performance as you noted.  So ... thanks again!
> P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?

You can add the word "log" to that deny command (add deny log all ....)
which will log everything that matches that line in the ipfw rule set.

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20191123/a4bf5d99/attachment.bin>

More information about the freebsd-questions mailing list