From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 11 16:01:04 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9991D16A476
	for <freebsd-questions@freebsd.org>;
	Sun, 11 Jun 2006 16:01:04 +0000 (UTC)
	(envelope-from prvs=johnl=0310a1112b@iecc.com)
Received: from xuxa.iecc.com (xuxa.iecc.com [208.31.42.42])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5B41E43D77
	for <freebsd-questions@freebsd.org>;
	Sun, 11 Jun 2006 16:00:59 +0000 (GMT)
	(envelope-from prvs=johnl=0310a1112b@iecc.com)
Received: (qmail 22950 invoked from network); 11 Jun 2006 16:00:57 -0000
Received: from simone.iecc.com (208.31.42.47)
	by mail2.iecc.com with QMQP; 11 Jun 2006 16:00:57 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
	by localhost with SMTP; 11 Jun 2006 16:01:00 -0000
Date: Sun, 11 Jun 2006 12:01:00 -0400 (EDT)
From: John L <johnl@iecc.com>
To: freebsd-questions@freebsd.org
Message-ID: <20060611112542.J59518@simone.iecc.com>
Cleverness: None detected
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: Deny large number of IPs via ipfw (fwd)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jun 2006 16:01:04 -0000

>Using such an list of ip address from a major rbl is flawed at the
>core of the idea.  Over 85% of those 3 million ip address are spoofed
>in the first place.  Most are what would be called false positives.

Actually there are almost no false positives in the CBL.  The three
million addresses on the CBL really are all IP addresses that have
recently sent spam.  (I know the people who run it and I know how they
get the addresses.)

But I agree that it is a poor idea to try to use it in your router, if
for no other reason than that the CBL is updated every few minutes,
and by the time you stuffed it into your ip tables, it'd be out of date.

The CBL works great for mail servers to refuse mail that has a 99.9+%
chance of being spam.  Use it that way.

If you want to use it to block access to your ssh server, run it from 
inetd and put a shim in between to check the CBL.  Unless you get a dozen 
legit SSH logins a minute, that's vastly faster than trying to rsync a 
rapidly changing three million record file.

R's,
John