Date: Wed, 28 May 2003 15:12:24 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Barney Wolff <barney@databus.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? Message-ID: <Pine.BSF.4.21.0305281510150.37936-100000@InterJet.elischer.org> In-Reply-To: <20030528214046.GA9084@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 May 2003, Barney Wolff wrote: > On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote: > > First off, blocking it in ipfw rules is obviously more efficient if > > you are running ipfw(8) already. > > Can ipfw really handle "tens of thousands" of rules efficiently? > I'd hate to implement a trie with ipfw skipto rules, but that's the > only way ipfw could block that many individual IPs efficiently. I once wrote a script to generate a skipto tree. Any packet hit at most 33 rules.. :-) problem was running out of ipfw line numbers.. :-) > > But there's a more fundamental problem: The two choices above do > different things. The ipfw rule drops inbound packets, while the > route drops outbound packets. If the threat is connections from outside, > the route solution converts each of these into a DoS attempt. If the > threat is internal users connecting to banned sites, the ipfw rule > should be written as "from any to a.b.c.d." In the latter case the > route solution looks good. > > If I had to do this inbound, I'd look at netgraph as a way to put > custom code in the kernel that looks up the source IP addr in a > hash table. I've done that too :-) > > But the hard part will be updating the table of banned IPs and informing > the kernel. How often must the table change?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0305281510150.37936-100000>