Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jul 2001 22:49:16 +0200 (CEST)
From:      Luigi Rizzo <luigi@info.iet.unipi.it>
To:        Alexander Langer <alex@big.endian.de>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: IP accounting/filtering for bigger setups
Message-ID:  <200107162049.WAA50504@info.iet.unipi.it>
In-Reply-To: <20010716220218.A7652@zerogravity.kawo2.rwth-aachen.d> from Alexander Langer at "Jul 16, 2001 10:02:18 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
for accounting, you can use dynamic dummynet pipes as the
final accept rule, e.g. replace all rules of the form

	accept ip from X to Y
with

	pipe 9999 ip from X to Y

and something like this for accounting on source ip

	ipfw pipe 9999 config mask src-ip 0xffffffff


For managing the separate IPs, it really depends a lot on the actions
you need to perform, e.g. you might be able to define a few classes
of hosts and have rulesets for them, and then jump to the appropriate
ruleset for each host depending on the IP, maybe using masks whenever possible
to reduce the actual number of rules.

of course if performance is an issue you might want to develop some
special 'lookup' ipfw rule by modifying the ipfw kernel code.

	cheers
	luigi

> Hi!
> 
> We have to account the traffic of >450 IPs and also have to deny
> traffic to/from a few IPs.
> 
> We are currently using a half-baken solution with ipfw and a
> config with 6 rules for each IP, which makes the stuff quite
> uncomfortable.
> (on high network load, "ipfw list" takes minutes, we have to check
> 6 rules for each IP, ...)
> 
> We are now searching for other solutions and I wondered, if one could
> recommend them.
> 
> I'd prefer something, that automatically accounts the traffic
> for all routed IPs (and, if possible, with some exceptions, e.g.
> only traffic, that leaves a certain subnet), and can also still deny
> some traffic.
> 
> Anyone has some suggestions for us?
> 
> Thanks
> 
> Alex
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107162049.WAA50504>