Date: Sat, 25 Aug 2007 16:13:52 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Aminuddin <amin.scg@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? Message-ID: <20070825211352.GB25055@dan.emsphone.com> In-Reply-To: <46d05dcf.0abd720a.60a8.fffff7d0@mx.google.com> References: <20070825120018.9D41816A49E@hub.freebsd.org> <46d05dcf.0abd720a.60a8.fffff7d0@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 26), Aminuddin said: > How do you block this large range of ip addresses from different > subnet? IPFW only allows 65536 rules while this will probably use up > a few hundred thousands of lines. > > I'm also trying to add this into my proxy configuration file, ss5.conf but > it doesn't allow me to add this large number. > > IS this the limitation of IPF or FreeBSD? How do I work around this? Even though there are 65536 rule numbers, each number can actually have any amount of rules assigned to it. What you're probably looking for, though, is ipfw's table keyword, which uses the same radix tree lookup format as the kernel's routing tables, so it scales well to large amounts of sparse addresses. man ipfw, search for "lookup tables". -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070825211352.GB25055>