From owner-freebsd-net@FreeBSD.ORG Wed May 28 15:12:26 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6A7437B401; Wed, 28 May 2003 15:12:26 -0700 (PDT) Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA1143FAF; Wed, 28 May 2003 15:12:26 -0700 (PDT) (envelope-from julian@elischer.org) Received: from interjet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4]) by attbi.com (rwcrmhc53) with ESMTP id <2003052822122505300b48l4e>; Wed, 28 May 2003 22:12:25 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA38721; Wed, 28 May 2003 15:12:25 -0700 (PDT) Date: Wed, 28 May 2003 15:12:24 -0700 (PDT) From: Julian Elischer To: Barney Wolff In-Reply-To: <20030528214046.GA9084@pit.databus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 22:12:27 -0000 On Wed, 28 May 2003, Barney Wolff wrote: > On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote: > > First off, blocking it in ipfw rules is obviously more efficient if > > you are running ipfw(8) already. > > Can ipfw really handle "tens of thousands" of rules efficiently? > I'd hate to implement a trie with ipfw skipto rules, but that's the > only way ipfw could block that many individual IPs efficiently. I once wrote a script to generate a skipto tree. Any packet hit at most 33 rules.. :-) problem was running out of ipfw line numbers.. :-) > > But there's a more fundamental problem: The two choices above do > different things. The ipfw rule drops inbound packets, while the > route drops outbound packets. If the threat is connections from outside, > the route solution converts each of these into a DoS attempt. If the > threat is internal users connecting to banned sites, the ipfw rule > should be written as "from any to a.b.c.d." In the latter case the > route solution looks good. > > If I had to do this inbound, I'd look at netgraph as a way to put > custom code in the kernel that looks up the source IP addr in a > hash table. I've done that too :-) > > But the hard part will be updating the table of banned IPs and informing > the kernel. How often must the table change?