Date: Wed, 28 May 2003 17:40:46 -0400 From: Barney Wolff <barney@databus.com> To: "Crist J. Clark" <cjc@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? Message-ID: <20030528214046.GA9084@pit.databus.com> In-Reply-To: <20030528210359.GA3907@blossom.cjclark.org> References: <20030528045154.GA95572@mail.it.ca> <20030528210359.GA3907@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote: > On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote: > > > > I'm considering: > > > > ipfw add N deny ip from a.b.c.d to any > > > > vs. > > > > route add -host a.b.c.d localhost > > > > I need to block traffic to a number of IP addresses. I thought I'd use > > ipfw to avoid things like UDP DNS lookups that might come in ant take up > > resources while my system tried to respond, but it's been suggested on > > another list that setting routes to localhost will use less resources. > > Ideally, I'd like to be able to block a few tens of thousands of IPs. > > > > What's the scoop? > > Someone is assumng the old rule for blocking traffic on a (Cisco) > router applies to the FreeBSD stack. It doesn't necessarily apply. > > First off, blocking it in ipfw rules is obviously more efficient if > you are running ipfw(8) already. Can ipfw really handle "tens of thousands" of rules efficiently? I'd hate to implement a trie with ipfw skipto rules, but that's the only way ipfw could block that many individual IPs efficiently. But there's a more fundamental problem: The two choices above do different things. The ipfw rule drops inbound packets, while the route drops outbound packets. If the threat is connections from outside, the route solution converts each of these into a DoS attempt. If the threat is internal users connecting to banned sites, the ipfw rule should be written as "from any to a.b.c.d." In the latter case the route solution looks good. If I had to do this inbound, I'd look at netgraph as a way to put custom code in the kernel that looks up the source IP addr in a hash table. But the hard part will be updating the table of banned IPs and informing the kernel. How often must the table change? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030528214046.GA9084>